Replacement of Sectigo EV certificates
21 January 2020
It has recently become known that a number of Sectigo EV certificates contain information that is not allowed. These certificates must be replaced at very short notice in order to remain trusted by browsers. This development has no impact on the safety of the affected certificates, but it does mean that many organisations have to replace their certificates very quickly to prevent error messages.
What exactly is going on?
We have been informed by Sectigo that information about the jurisdiction of incorporation has been included in EV SSL certificates, namely the place and province of the trade register where the organisation is registered. The CA/Browser Forum determines in the EV guidelines what may and may not be included in an EV certificate. According to these guidelines, the JOI (Jurisdiction of Incorporation) fields must be empty as soon as a trade register operates nationally and not regionally. As a result, information has been added that according to the guidelines may not be included in a certificate. Despite regular inspections by Sectigo, these fields have never been noticed. Unfortunately, the guidelines are not always clear, which means that these situations occur more often. For example, EV certificates issued by DigiCert also recently had to be replaced due to incorrect JOI fields.
Are these certificates not secure?
The certificates are listed as "incorrectly issued certificates", so this does not affect the technical functioning and safety of the certificates, nor has an certificate fraudulently been issued to an entity. However, in order to continue to comply with the EV guidelines of the CA/Browser Forum, Sectigo is obliged to revoke the affected certificates as soon as possible after reporting the incident. Of course Xolphin is fully cooperating with this procedure and the certificates are replaced as quickly as possible and free of charge.
What are the consequences?
If a certificate is not replaced in time, the revoked certificate leads to an unreachable website. For example: https://revoked.badssl.com/. Depending on the control mechanism that a browser uses, this message appears immediately after the certificate revocation until a week later at the latest.
According to the guidelines, the affected certificates must be replaced within a maximum of 5 days after announcement. To limit the impact as much as possible, the certificates that need to be replaced are made available by Sectigo as soon as possible and free of charge. So only a new installation is required. Naturally, all affected parties are actively informed about this, and guided during the replacement process.
Due to the short exchange period, the support waiting times at Xolphin might unfortunately also be a little longer than normal. For more information please read our FAQ. On our status page we will post updates on the latest developments and the current waiting times.