//Blogs - 22 Jan 2021

AusCERT statement “QuoVadis Global SSL ICA G3” issue impacting multiple customers

Update 3: 12:00pm AEST 22 January 2021
Update 2: 12:30pm AEST 18 January 2021 
Update 1:
2:00pm AEST 16 January 2021
Initial statement release: 12:00pm AEST 15 January 2021 

“QuoVadis Global SSL ICA G3” issue impacting multiple AusCERT  DigiCert + QuoVadis customers

Update 3 (12:00pm AEST 22-1-2021)

Further to our last update, DigiCert + QuoVadis have provided AusCERT with a RCA for AusCERT Members. At 11:51am AEST the RCA was distributed by the AusCERT Team to AusCERT Members via email.


Update 2 (12:30pm AEST 18-1-2021)

Further to our last update, DigiCert + QuoVadis have today provided further details of three possible practices which may have caused this issue for impacted certificates.

1. The organisation has pinned their application to the retired ICA –  DigiCert + QuoVadis advises that this is bad practice.
2. The organisation has configured their server to only trust that specific ICA, which forces the client to use it. Then, when the ICA is changed, the chain of trust is broken.
3. The organisation operates a trust store which includes the old versions of the ICAs.

All certificates that are using the Global G2 or G3 ICAs have a potential impact, as these were both retired. The new ICAs were made available from September 2020 and from November 2020 all certificates issued from Trust Link will have been issued from these new ICAs.

Impacted customers may simply need to install the new ICA on their server to resolve the issues.

Also sharing these two external resources here:

A DigiCert + QuoVadis’ statement regarding ICA replacements can be found here: https://knowledge.digicert.com/alerts/DigiCert-ICA-Update.html

Last but not least, a corporate statement from  DigiCert + QuoVadis regarding this issue can also be found on their website here:  
[NOTE: this same statement was covered by AusCERT in the initial publication of our statement (blog post) with the exception of the signing service instructions found at the bottom of this page.]

Update 1 (2:00pm AEST 16-1-2021)

As a part of initial correspondence with DigiCert + QuoVadis we were informed that their teams were working to gather a report of all certificates impacted by the ICA changes on Friday, 15 January 2021. However, we were discouraged to receive an update today, 16 January 2021, that the DigiCert + QuoVadis teams are unable to report the certificates which were impacted by this ICA change.

The DigiCert + QuoVadis team largely believe the impacted certificates are receiving errors due to applications being pinned to the serial number of the revoked ICA. Here is more information on certificate pinning: https://www.digicert.com/dc/blog/certificate-pinning-what-is-certificate-pinning/

As we continue to work with DigiCert + QuoVadis regarding this incident, please be assured we will continue to urge they provide further assistance for remediation. 


Initial statement (12:00pm AEST 15-1-2021) 

The AusCERT team was made aware that a number of our Certificate Services clients have been experiencing problems with the above intermediate certificate, QuoVadis Global SSL ICA G3, since approximately 8.30am AEST.

Following this notification, the team acted immediately and got in touch with the team from DigiCert + QuoVadis for clarification. 

An internal investigation was then conducted by the DigiCert + QuoVadis compliance team and following this, we can now confirm that the QuoVadis Global SSL ICA G3 intermediate certificate (ICA) was revoked earlier today. An action which AusCERT was unaware of prior to it taking place.

The new version was made available to QuoVadis users last year and can be downloaded from the following repositories:

Repository: https://www.quovadisglobal.nl/Repository/DownloadRootsAndCRL.aspx 
Direct download of new ICA: http://trust.quovadisglobal.com/qvsslg3.crt

The replacement is also in Trust Link.

The certificate does not need to be replaced as it has the same chain. Impacted users will have to configure the server with the new ICA, replacing the old version. Again, please refer to the above repository for the new ICA details.

The rotation of ICAs is a policy DigiCert has introduced in order to prevent non best practise habits from occurring, such as certificate pinning.

Further information on certificate pinning can be found here: https://www.digicert.com/dc/blog/certificate-pinning-what-is-certificate-pinning/ 

Again, the AusCERT team was not made aware of the revocation and had worked on investigating this problem as soon as we were alerted by members.

DigiCert + QuoVadis  apologises that significant notice hasn’t been provided to those impacted members.

Does this impact all certificates? No, this has only impacted one of several ICAs QuoVadis use.
The AusCERT team has now been in contact (via email) with all those members whom we are aware have been impacted by this issue. 

If you are an affected member requiring further assistance with regards to this issue, please contact: 

AusCERT Membership Team
07 3365 4417