ICA Check

Problem Description

A couple of Intermediate Certificates or Intermediate CAs (ICA) that have been used to sign a large number of user certificates have been found to have too much power (see explanation), and have therefore to be replaced. A large number of CAs are affected worldwide. When such a ICA is revoked, all the leaf certificates that were signed with this one, become invalid. So these latter should be replaced before, in order to avoid damage, i.e. nasty browser warnings.

The ICA in question is the following:

  1. "QuoVadis Swiss Advanced CA G3" with Subject key identifier 06:6C:B3:E9:CF:E0:3B:70:5D:1E:79:B7:BE:F0:F6:6D:7D:36:88:22 . Certificates that have been signed with this one must be replaced before December 31, 2020.

How to find out whether my certificate is affected

Your RA administrator has obtained a list with affected certificates for your organisation. 

QuoVadis Swiss Advanced CA G3

This intermediate certificate has been used to sign user certificates. Have a look at your personal certificate to see whether it is affected. Sample screenshots:

KeyChain_Affected

 UserFirefox

UserFirefox2

If you find this string in the issuer name, and this value in the issueing key identifier field, then your certificate is affected.

Replace the certificate

If your certificate is affected, then you should replace it before December 31, 2020, as described above. For this, please submit a new CSR and, revoke the old one.

Please note:

The new user certificate is issued by the new ICA "QuoVadis Swiss Advanced CA G4":

https://www.quovadisglobal.ch/Repository/DownloadRootsAndCRL.aspx
Serial: 7BDCBB6FCD4D0219C87D4879F4F4D715B6B834AE

Currently, certificates with special characters such as "ä, ö, ü, é…" etc. cannot be generated in Mozilla Firefox. In this case, please generate it with the Chrome browser. Afterwards export the certificate as a .p12 file from your certificate store and import it into your mail client.

 

 

Thank you for your collaboration.