Jun 012020

If you’re running a Sophos UTM firewall, you may start noticing websites not loading properly, or presenting an error reporting that a root CA has expired.

PLEASE NOTE: If you are experiencing this on September 2021 or later, please see DST Root CA X3 Certificate Expiration Problems and Fix.

The error presented is below:

Sectigo COMODO CA Cetificate Untrusted Website Certificate has expired

Webpages that do not present an error may fail to load, or only load partial parts of the page.

Update June 3rd 2020 – There are reports that this issue is also occurring with other vendors security solutions as well (such as Palo Alto Firewalls).

The Issue

This is due to some root CA (Certificate Authority) certificates expiring.

Particularly this involves the following Root CA Certificates:

  • AddTrust AB – AddTrust External CA Root
  • The USERTRUST Network – USERTrust RSA Certification Authority
  • The USERTRUST Network – USERTrust ECC Certification Authority

Read more about the particular issue here: https://support.sectigo.com/Com_KnowledgeDetailPage?Id=kA03l00000117LT

The Fix

To resolve this, we must first disable 3 of the factory shipped Root CA’s (listed above) on the Sophos UTM, and then upload the new Root CAs.

You’ll need to go to the following links (as referenced on Sectigo’s page above, and download the new Root CAs:

USERTrust RSA Root CA (Updated) – https://crt.sh/?id=1199354

USERTrust ECC Root CA (Updated) – https://crt.sh/?id=2841410

When you go to each of the above pages, click on “Certificate” as shown below, to download the Root CA cert.

Download Updated Root CAs Example

Do this for both certificates and save to your system.

Now we must update and fix the Sophos UTM:

  1. Log on to your Sophos UTM Web Interface
  2. Navigate to “Web Protection”, then “Filtering Options”, then select the “HTTPS CAs” tab.
  3. Browse through the list of “Global Verification CAs” and disable the following certificates:
    1. AddTrust AB – AddTrust External CA Root
    2. The USERTRUST Network – USERTrust RSA Certification Authority
    3. The USERTRUST Network – USERTrust ECC Certification Authority
  4. Scroll up and under “Local Verification CAs”, use the “Upload local CA” to upload the 2 new certificates you just downloaded.
  5. Make sure they are enabled.

After you complete these steps, verify they are in the list.

New USERTrust Root CAs Enabled

After performing these steps you must restart the HTTPS Web filter Scanning services or restart your Sophos UTM.

The issue should now be resolved. Leave a comment and let me know if it worked for you!