Replacement Sectigo EV

It has recently become known that a number of Sectigo EV certificates contain information that is not allowed. These certificates must be replaced at very short notice in order to remain trusted by browsers. This development has no impact on the safety of the affected certificates, but it does mean that many organisations have to replace their certificates very quickly to prevent error messages.

How do I replace my certificates?

If applicable, in your account there is an overview of the certificates to be replaced on the Dashboard of the Control Panel. You can download and install the certificates here directly. The certificates are also sent by e-mail and can be picked up by API users. For help with installation, please check our installation manuals.

The certificates to be replaced are reissued by Sectigo as soon as possible and made available for download. It is possible that not all certificates are immediately available, they have the status 'Pending at Sectigo' in the Control Panel. As soon as they are ready, this status changes to 'Download'. Note: In order to avoid confusion and delay, it is not possible to request a reissue for the certificates to be replaced in a regular manner.

Control Panel

How are the replacement certificates made available?

The replacement certificates are made available by Sectigo as quickly as possible. The certificates have been reissued based on the old CSR. Confirming the DCV is therefore not necessary, and the end user of the certificate will not be contacted again for validation purposes. This means that the current private key can also be used. What might cause a delay is the (from 2017) mandatory check of CAA records. A reissue is not possible as long as they are not correctly set.

Replacement on an IIS web server

Do you use IIS and does the Certificate Wizard say that the Private Key is not found when importing the replacement certificate? Then use this manual to link the replacement certificate to the old private key.

What is the reason for this replacement?

Despite very strict checks, Sectigo recently discovered that not allowed data has been included in Sectigo EV certificates. Specifically, it concerns the JOI fields that indicate of ??jurisdiction of incorporation, this is the region (the place and province) in which the trade register used for the incorporation of the organisation is active. Because this is not in line with the EV guidelines, a correction is important. Sectigo will reissue the affected certificates without this information in it, and make them available for installation free of charge.

How did this situation occur?

The location information of an organisation is checked in a national database (in the Netherlands Chamber of Commerce), after which the place of residence is automatically supplemented with the jurisdiction (the place and province) of the trade register where the organisation is registered. According to current guidelines, these JOI (Jurisdiction of Incorporation) fields must be empty as soon as a trade register operates nationally and not regionally.

Unlike the United States, where these JOI fields usually apply, trade registers in most European countries nowadays operate nationally. As a result, information has been added that shouldn’t be included in the certificate according to the EV guidelines of the CA/Browser Forum. Unfortunately, despite regular inspections by Sectigo, these fields didn’t draw attention earlier.

Do I have to request a reissue myself?

No, in order to limit the inconvenience and workload as much as possible, the free replacement certificates will be made available as soon as possible as a download in the Control Panel. They are also sent by email. So only a new installation is needed. In order to avoid confusion and delay, it is not possible to request a reissue for the certificates to be replaced in a regular manner.

What happens if a certificate is not replaced within the specified period?

In order to continue to comply with the EV guidelines of the CA/Browser Forum, Sectigo is obliged to withdraw the affected certificates as soon as possible after reporting the incident. Naturally Xolphin is fully committed to this.

If the certificate isn’t replaced on time, the revoked certificate will result in an unreachable website. An example:  https://revoked.badssl.com/ . Depending on the control mechanism a browser uses, this warning will appear directly after revocation up to a week later. 

Does this issue also have consequences for other brands of certificates?

As far as we know, there is no impact for EV certificates from other brands that have been requested through Xolphin, but because these brands do the validation themselves, this cannot be said with certainty. For example, EV certificates issued by DigiCert have a similar problem with the JOI fields. Although this occurs in the same period and specifically concerns the same certificate fields, the details do differ slightly: in this case, incorrect information ended up in these fields due to human errors, such as place names that do not match a province or spelling errors in a place name.

Does this issue also have consequences for DV and OV certificates?

No, this issue does not affect DV and OV certificates, because the EV guidelines do not apply to these certificates.

Why do I suddenly have to replace my certificate, it is already over a year old?

We have only recently been informed of this. Despite the fact that a certificate is already older, an additional check by Sectigo has just discovered this unchecked data. And because this is in line with the strict EV guidelines, immediate action is needed.

Does this mean my old certificate is unsafe? 

These certificates are classified as “mis-issued certificates” but the certificates are functionally without flaw (until they are revoked), and there is no instance an entity was able to obtain a certificate through deceptive means. The relevant certificates are not unsafe, there is just too much data included in the certificate. To continue to comply with the strict EV guidelines, a correction is necessary.

Is the information in the certificates incorrect now?

Unlike in the United States, where these fields usually apply, trade registers in most European countries nowadays operate nationally. This means that information has been added that is mostly correct (because it comes from official registers), but that is not permitted according to the EV guidelines of the CA/Browser Forum.

Does the replacement certificate affect the duration of the certificate?

No, with a reissue you always receive a new certificate with the same end date as the old certificate.

Do I have to reinstall the reissued certificates?

Yes, it is important to replace the reissued certificates directly on the server. The old certificates will be withdrawn on short term and will then no longer be trusted. For help with installation, please check our installation manuals.

How do I know if the new certificate has been installed correctly?

You can easily check this via the SSLcheck by entering the domain name of the certificate. The correct certificate has the same end date as the old certificate, but is valid from '2020-01-22'.

Where can I find this information in a certificate?

The fields can be found in the 'Subject' section of the EV certificate, where all organisation data are stored. You can find this by opening the certificate through your browser by clicking on the lock in the address bar and then clicking on View certificate> details> certificate fields> certificate holder. Example from a certificate:

   Object identifier (1 3 6 1 4 1 311 60 2 1 1) = Location, for example Alkmaar

   Object identifier (1 3 6 1 4 1 311 60 2 1 2) = Province, for example Noord-Holland

   Object identifier (1 3 6 1 4 1 311 60 2 1 3) = Country code, for example NL

In the example above, the City and Province fields are not allowed according to the EV guidelines.

What is the relationship between Xolphin and Sectigo?

As a reseller, Xolphin delivers SSL certificates from the CA (Certificate Authority) Sectigo, formerly Comodo, established in the United States. As an RA (Registration Authority), Xolphin takes care of the validation of company data for Sectigo certificate requests. This concept combines globally trusted certificates with local service and speed.

Replace certificates

SSLCheck

Our SSLCheck will examine your website's root and intermediate certificates for correctness and report any potential issues

point up