IBM Maximo SECTIGO Root Certificate is Expired!

The use of https to provide security against hacking and other security loopholes is very common today and each enterprise application only accepts trusted Certification Authority (CA). Organizations using IBM Maximo also use the SECTIGO wildcard cross-signed SSL certificate for the same.

You may run into an issue where Maximo URL stopped working as it was showing SSL connection error in web server logs. Below post talks about what are the different types of the certificate which you can find in your Maximo set up and how to resolve issues if you get an error SECTIGO or Root Certificate is Expired.

What is a Root Certificate?

In cryptography, a root certificate is a public key certificate. Root certificates are self-signed and support a public key network based on X.509 (standard defining the format of Public Key Certificates). A root certificate becomes a trusted root certificate (or trusted Certification Authority) by virtue of being included in a piece of software like a browser or OS by default in the trust store. These trusted stores are frequently updated by the client software or OS as part of security updates, but for older obsolete platforms the update happens only during a full software update.

Certificates are issued for your site from a “chain” of issuance or “intermediate” CA that completes a path back to these trusted root certificates. Any certificate that cannot be used to sign other certificates is called an end-entity certificate or Leaf certificate. A certificate used to sign other certificates is called an Intermediate certificate. An intermediate certificate must be signed by another intermediate certificate or a root certificate.

What Is Cross-Signing?

Certificate Authorities frequently control multiple root certificates, and an older root is more widely distributed on an older platform. To take advantage, CAs generate cross-certificates to ensure that their certificates are supported as widely as possible. The cross-certificate uses the same public key as the root being signed, and the same subject.

What is the SECTIGO Root Certificate?

SECTIGO offers the ability to cross-sign certificates with the legacy root of AddTrust in order to expand support among very old systems and devices. Sectigo offers a new cross signing option for unusual cases with its AAA root.

Important point to note here is that the SECTIGO Root certificate is different from the default WebSphere application server root Certificate. SECTIGO root certificate will be signed by a trusted certificate authority. SECTIGO operates a root certificate named the AddTrust external CA root used to establish cross-certificates to SECTIGO’s root certificates, the COMODO RSA Certification Authority, and USERTrust RSA Certification Authority.

What if the SECTIGO Root Certificate is Expired?

While checking the Maximo Web Server logs, If you found this error “CERTIFICATE VALIDATION ERROR (SSL0208E)” repeatedly then it is an issue with the certificate being expired. The first step should be to check the validity of the CA certificate and then check validity for the Root certificate. We have seen scenarios where CA certificates are active, but Root certificates have expired. Following are the steps to resolve the root certificate expired issue-

  • Start the IKEYMAN tool and open the key file.
  • Go to the Signer Certificates section, if you see AddTrust certificate added remove that certificate.
  • Download the following three certificates:

Root Certificate→ AAA Certificate Services  https://crt.sh/?id=331986

Intermediate certificate→ Sectigo RSA Domain Validation Secure Server CA https://crt.sh/?id=924467861

Intermediate Certificate 1→ USERTrust RSA Certification Authority https://crt.sh/?id=1282303295

  • Add the three certificates in the signer certificates section of the key file in the IKEYMAN tool.
  • In windows server, Go to Manage User Certificates→ Trusted Root Certification AuthoritiesCertificates.
  • Check for AddTrust External CA Root and remove from the certificate
  • Import the new certificates to the user to manage certificates.
  • Now Restart the Webserver and check now, the SSL Certificate will be working.

Author

Dhayanithi Palaniappan
Maximo Consultant at EAM360 Mobile App for Maximo

Accreditations