For several years, Mozilla Firefox chose not to perform any checks on the revocation status of a certificate authority's (CA) issuing sub-CA. The browser did not look at the relevant Certificate Revocation List (CRL). However, when Mozilla released Firefox version on March 19, 2014, th revocation checking was turned on for a CA’s issuing sub-CA, in a way not shared by any other browser or application.
Unlike other browsers, Firefox does not look at the relevant CRL, but instead uses the OCSP checking method – an instant query to the issuing CA’s Online Certificate Status Protocol (OCSP) responder to determine whether the issuing sub-CA has been revoked.
This method of revocation checking was not used by any browser or CA when the Trend Micro issuing sub-CA (the Trend Micro CA) was created, Trend Micro did not include the OCSP response functionality.
If you are using Firefox 28.0 or later, the browser continues to treat the session secure and encrypted (https://), showing the closed padlock to the client, the same as for an OV certificate. However, it cannot send an OCSP query for the issuing sub-CA. Firefox will “downgrade” the EV certificate to the equivalent of an OV certificate, and will not show the “green bar".
Trend Micro has modified the Trend Micro CA certificate using the same public-private key pair so it will continue to work with your current EV certificates and added the necessary certificate extensions so that Firefox 28.0 can check the revocation status using the OCSP method. The reissued Trend Micro CA certificate is available and in use, and will be used for all EV certificates issued after April 30, 2014. All existing EV certificates can be used as is however the new Trend Micro CA certificate must be installed to enable the “green bar”.
Note: There is no security issue or vulnerability if no action is taken. The only negative effect will be that the EV “green bar” will not be shown in Firefox 28.0 or above.
If you issued EV certificates before April 30 and want to enable the “green bar” in Firefox 28.0, you can download and reinstall the sub-CA Trend Micro CA certificate on each server secured by an EV certificate. You can do this by either reinstalling the new Trend Micro CA certificate on your servers, or reinstalling the entire Trend Micro certificate bundle in the manner appropriate for your server.
To download the new Trend Micro CA certificate or the new Trend Micro certificate bundle:
- Sign in to your Deep Security for Web Apps account at http://was-portal.trendmicro.com.
- Go to the Protection tab and select Certificates to see a table of all your certificates.
- Use Filter by Status to select all your “Issued” certificates then click the Type column header to sort by certificate type.
This will give you a list of all of your issued EV certificates grouped together. All EV certificates with an issue date before April 30, 2014 are affected.
- Select each affected EV certificate and download the new certificates or bundles to install the new Trend Micro CA certificate.
For instructions on how to install certificates for your specific server type, refer to the following KB article: Installing SSL certificates
You can also choose to issue new EV certificates. With your unlimited SSL license, there is no cost to do that.