[asterisk-dev] NET::ERR_CERT_SYMANTEC_LEGACY: Re-issue your RapidSSL certificate!

Alexander Traud pabstraud at compuserve.com
Sun Aug 5 05:18:13 CDT 2018

All asterisk.org (sub-) domains are secured by a SSL/TLS certificate from RapidSSL which chains up to the trust anchor "GeoTrust Global CA". That trust anchor belonged to Symantec. Since Chrome 70, Google removes all trust in former Symantec trust anchors. When you re-issue your certificate, the new owner DigiCert is going to give you a certificate chain to a new and still trusted anchor, for free: <http://products.geotrust.com/orders/orderinformation/authentication.do>


Google Chrome 70 entered the Developer channel (aka "unstable") <http://www.chromium.org/getting-involved/dev-channel> on Friday <http://chromereleases.googleblog.com/2018/08/dev-channel-update-for-desktop_3.html> and therefore is available to Linux users now. Because Asterisk is very much developer centric, I expect that several Asterisk users and developers are using Google Chrome in that channel. Therefore and because the re-issue is free and because you could have gone for it since December already, please, re-issue as soon as possible.

Technical Notes:

Enter CSR: If you enter the CSR used by our original order, you do not have to change the private key on your server. Only the public certificates must be changed.

Hashing Algorithm = SHA-1 root: Your chain is going to resolve to "DigiCert Global Root CA". Therefore, I recommend to add the intermediate certificate to "Baltimore CyberTrust Root" <http://ssl-tools.net/subjects/8051060132ad9ac27d5187a0e887fb01620155ee>. This gives broader compatibility, even with legacy SSL/TLS clients, at no additional costs.

Hashing Algorithm = SHA-256 root: Your chain is going to resolve to "DigiCert Global Root G2". Therefore, consider to add the intermediate to "VeriSign Class 3 Public Primary Certification Authority - G5" <http://ssl-tools.net/subjects/39d28b71fe1d19b65fb3f1288f23bc04595c4395> and "VeriSign Class 3 Public Primary Certification Authority - G3" <https://crt.sh/?caid=443> and "VeriSign Class 3 Public Primary Certification Authority" (G1) <http://ssl-tools.net/subjects/7a838e245f34e61aaa343e930d5a325a60c56d6c>. Although those three anchors are not trusted either, up-to-date SSL/TLS clients stop at the first trusted anchor in the chain and do not see those older ones. This gives the broadest compatibility with legacy platforms. However <https://bugzilla.mozilla.org/show_bug.cgi?id=1401384#c10>: "[DigiCert is] strongly advising subscribers not to use [this particular] cross-sign and, if used, remove [this] cross-sign prior to September 2018 as [DigiCert is] not sure how the distrust will impact [this] cross-sign." Therefore, I went for the Hashing Algorithm "SHA-1 root" on all my installations.

More information about the asterisk-dev mailing list