topic Re: ACTION NEEDED: Time Stamp Authority (TSA) server root certificatio in Webex Administration

ACTION NEEDED: Time Stamp Authority (TSA) server root certification

eliegerges — Tue, 19 Apr 2022 05:48:44 GMT

Dears,

I received the below email :

ACTION NEEDED: Time Stamp Authority (TSA) server root certificate has expired

Dear Webex Customer,

This message is to inform you that the Time Stamp Authority (TSA) server root certificate has been updated as of April 1, 2022, from DigiCert to DigiCert Trusted Root G4.

If you haven’t already, please take action immediately to install DigiCert Trusted Root G4 on your users’ machines to avoid issues with releases and product updates delivered after April 1, 2022. You can download the DigiCert Trusted Root G4 certificate here.

Kindly advise what actions should be done from my side as the email is unclear

Thank you

Re: ACTION NEEDED: Time Stamp Authority (TSA) server root certificatio

Vaijanath Sonvane — Tue, 19 Apr 2022 12:16:45 GMT

Hi @eliegerges,

I had similar question and opened case with Cisco. Below is the response:

According to the RFC 3161 standard, a trusted timestamp is a timestamp issued by a Trusted Third Party (TTP) acting as a Time Stamping Authority (TSA). It is used to prove the existence of certain data before a certain point (e.g. contracts, research data, medical records, ...) without the possibility that the owner can backdate the timestamps. Multiple TSAs can be used to increase reliability and reduce vulnerability.
The newer ANSI ASC X9.95 Standard for trusted timestamps augments the RFC 3161 standard with data-level security requirements to ensure data integrity against a reliable time source that is provable to any third party. This standard has been applied to authenticating digitally signed data for regulatory compliance, financial transactions, and legal evidence.

I checked with some of our customers and also checked on my PC and this certificate is already installed on end user machines. My guess is that the certificates gets installed with Windows update.

If you don't see this certificate then, as recommended by Cisco, install it on end user machines.

Re: ACTION NEEDED: Time Stamp Authority (TSA) server root certificatio

eliegerges — Tue, 19 Apr 2022 12:26:01 GMT

Hello @Vaijanath Sonvane

Thank you for your reply but i need to ask you why it is related to Webex and the email was sent by Webex Global Communications?

Re: ACTION NEEDED: Time Stamp Authority (TSA) server root certificatio

Ashish Patel — Tue, 19 Apr 2022 13:51:06 GMT

Its because webex uses digicert certs https://help.webex.com/en-us/article/WBX264/How-Do-I-Allow-Webex-Meetings-Traffic-on-My-Network?#id_135010 *.digicert.com

Re: ACTION NEEDED: Time Stamp Authority (TSA) server root certificatio

Vaijanath Sonvane — Tue, 19 Apr 2022 13:52:48 GMT

Hi @eliegerges,

Because end users are using Webex App on their PC and this certificate is related to Webex. That is why the email communication is from Webex Global Communications.

Re: ACTION NEEDED: Time Stamp Authority (TSA) server root certificatio

eliegerges — Thu, 21 Apr 2022 12:22:40 GMT

@Ashish Patel but before we didnt use to add any certificate what have changed now ?

Re: ACTION NEEDED: Time Stamp Authority (TSA) server root certificatio

Shalid Kurunnan Chalil — Thu, 21 Apr 2022 14:04:34 GMT

Hi,

The operating system includes most of the public trusted certificate authorities' root certificates in their trusted store. Sometimes the system administrator applies/installs these certificates via the group policies. The webex was signed by an earlier generation root certificate from Digicert and it should be available in the trusted store and there is no requirement to manually add the certificate into the trusted store. But the information was always available on help.webex.com. A few months back, we had a similar issue when Cisco updated to use identrust.com.

The public CA, Digicert has updated its root CA to DigiCert Trusted Root G4. Since it is new, there may be a chance that your PC may not be updated with the new certificates in its trusted store.

Regards

Re: ACTION NEEDED: Time Stamp Authority (TSA) server root certificatio

emiliolara — Mon, 25 Apr 2022 22:12:41 GMT

Cisco TAC response:

It applies to PC set up using WebEx meeting.

There are no actions required to do from the control hub.

If you are having Microsoft certificate store, there is no issues as the certificate will be updated by default, but if you are using custom certificate store, you need to add the certificate , this should be done from the IT department end

The certificate is not related only to WebEx, it is a general certificate. It could be installed /updated on user's devices as they are included in the OS/browser's trust store.

You don't need to install the Root CA certificates as they are included on your OS/ browser's trust store. you can go this link : https://trusted-root-g4.chain-demos.digicert.com - if your browser loads the page without warning. It trusts the DigiCert trusted root G4.