​GlobalSign security certificate foul-up knocks out secure websites

If you can’t get to some of your favorite websites today, it’s may not have a thing to do with your browser or ISP. The blame likely goes to GlobalSign, a Belgium-based security certificate provider. The company fouled up a clean-up of some of their root certificates links. This resulted in many “secure” websites showing up as being insecure and, depending on your web browser, unavailable.

In a word: Yuck.

If you got an error message such as: “You cannot visit www.example.com right now because this certificate has been revoked,” you ran into this problem. You can easily bypass this error in most web browsers and operating systems. So, for most non-technical users, any website using a GlobalSign certificate for security is essentially offline.

Here’s how it happened. GlobalSign manages several root Secure Sockets Layer (SSL) certificates. A root SSL certificate is a certificate issued by a trusted certificate authority (CA). They are essential for the web’s security.

For browser compatibility GlobalSign linked several cross-certificates between those roots to maximize. So far, so good. Then they decided to remove some of those links. In the process they revoked a cross-certificate linking two roots together that should not have been touched. It kept working… for a while. Then, their Online Certificate Status Protocol (OCSP) server started reporting that the cross-signed root had revoked all the downstream certificates.

Whoops.

The good news is that GlobalSign has removed the cross-certificate from the OCSP database and cleared all its caches.

The bad news is GlobalSign customers need to replace their SSL certificates. That’s not too bad. It’s what system and network administrators are paid to do.

The really bad news is those same corrupt certificates are now on end-user systems. There they will block the affected sites for as long as week. There are ways to fix this, but I only recommend them for powers users. Feeling up to the job? OK, here you go:

Windows users need to take the following steps:

Go to Start Menu > Run Type cmd and press Enter

Then enter the following command:

certutil -urlcache * delete

On a Mac, you need to open a terminal and enter the following command:

sudo rm /var/db/crls/*cache.db

This will delete the following files:

• var/db/crls/crlcache.db
• /var/db/crls/ocspcache.db

Finally, on a Linux desktop, you open a shell program and run this command:

dirmngr –flush

If you then see a message such as “No such file or directory,” then your desktop hasn’t been set up to cache SSL certificates.

In all these cases, after taking these steps you should be able to reach the sites again once their system administrators have installed the new certificates.

Related Stories: