Expired Certs Cause Headaches > Pull the plug on Verisign

Pull the plug on Verisign

Aside from the fact that Verisign wasn't more vocal about this intermediate cert expiring and making a big deal on their website about it, they didn't do anything wrong. The certificate expired right on time, exactly like had been designated when it was created back in 1997. It wasn't like Verisign proactively pushed some magic button to expire this certificate all over the world at the same time. It was built into the certificate when it was originally generated.

It is the customer's job to track the expiration of their own certificates they are using on SSL or signed applications. This would include Microsoft and every other company who signs software with these certs, anyone who hosts an SSL site with a Global Server ID, and not to mention all the backend components that use SSL over their transport mechanism which had a much more fatal reaction to the expiration than client's web browsers did.

Verisign had been signing all new certificates since early in 2001 with the new intermediate certificate. But, you weren't forced in software to update the intermediate certificate when these new certs were installed and everything worked business as usual. If the customer didn't update the intermediate certificate when they renewed the related certificate, then that was their oversight.

Yes, Verisign should have made a bigger deal out of it than they did. Certificates can't be valid forever. Unfortunately, many customers only track their own purchased certificates for expiration.

So the lesson that everyone will forget between now and 10/24/2011 is that they have to keep watch over the root and intermediate CA's on their servers and applications as well.
--
Remember what they say: "There are 10 types of people in the world.. those who understand binary, and those who don't."