Now You See It, Now You Don’t … Oh Wait, It’s Back
Microsoft did a good thing which unfortunately produced some bad results for some sysadmins. They have a system in place to deprecate ancient root certificates, as it is very much best practice to do. The problem is that while it is relatively easy to update the root certificates on a website, updating ones for apps is much less fun. Microsoft changed the trust of a 2019 certificate from Symantec, previously it was trusted as long as the certificate was from before 2019 but not if it was issued afterwards. After various enterprises ran into software installation errors because of the untrusted root certificates they change the setting back to what it had been.
The reason they wanted to deprecate the certificate dates back to 2015, when Symantec was caught issuing improper certificates by Google. Google determined that over to 30,000 improper certificates had been issued, which makes for a monstrous security concern as an enterprising hacker could take advantage of this to install software on other machines or impersonate a secure website.. After Google laid down an ultimatum and then followed through on it and their Chrome browser was set to not trust any certificate issued by Symantec. This move was adopted by numerous other companies, and any certificate issued before 2019 stopped being accepted.
The one exception, until recently, was Microsoft. They were happy to continue to accept those certificates; when they did break that trust they discovered any number of legacy apps which required them. They have reversed course for now, but we really need to get rid of these ancient root certificates!
The VeriSign Class 3 Public Primary Certification Authority – G5 is distrusted as of 2019 and was set to “NotBefore” in a previous release. This means that certificates issued after the NotBefore date will no longer be trusted; however, certificates issued before the NotBefore date will continue to be trusted.