Package: ca-certificates
Version: 20230311+deb12u1

Dear maintainer,

One of our partners (an American health insurance company) recently changed
the certificates for their API and this broke our connectivity. This report is
similar to #1095913 since it also involves certificates issued by Entrust, but
the root missing in question is "SSL.com TLS RSA Root CA 2022" and not one from
Sectigo. We were able to work around it by manually adding this root
certificate and running update-ca-certificates.

After doing so the chain looks like this with openssl s_client:
depth=2 C=US, O=SSL Corporation, CN=SSL.com TLS RSA Root CA 2022 verify return:1
depth=1 C=US, O=SSL Corporation, CN=Entrust OV TLS Issuing RSA CA 1
verify return:1
depth=0 [leaf cert details omitted] verify return:1

https://crt.sh/?id=7439767372 and https://crt.sh/?id=14258407195 respectively.

FWIW, on July 24, 2024 SSL.com posted this announcement about partnering with
Entrust:
https://www.ssl.com/blogs/ssl-com-and-entrust-form-strategic-partnership/
> SSL.com plans to implement multiple integration paths with Entrust, including
> Entrust serving as an external Registration Authority (RA) for Identity
> Validation. As an external RA, Entrust will be aligned with the policies and
> practices of SSL.com, with SSL.com acting as the Certification Authority.

Same as with the aforementioned bug report, please consider adding the root CA
to ca-certificates in stable.

Kind regards,
Bart

Reply via email to