5

Which CA currently issues certificates for Wikipedia sites? Are there two or more different CAs issuing certificates for *.wikipedia.org?

In a short period (less than half a hour), I noticed certificates for Wikipedia issued by two different CAs (GlobalSign and DigiCert). I do not know much about certificates, so I'm asking here.

I can remember that for some time certificate(s) for Wikipedia sites was/were issued by GlobalSign. I'm using Firefox, and last year or two, when I clicked the green lock in the address bar, it always displayed Verified by: GlobalSign nv-sa. A few hours ago, while browsing Wikipedia from home, I opened another page in a new tab. It seemed to me that the page loaded incompletely and then stopped loading and reloaded again. I clicked the green lock and this time it displayed Verified by: DigiCert Inc. I am not sure whether I saw Verified by: GlobalSign earlier in the same session, though.

I closed all tabs, cleared history and cache and restarted the browser. When I entered https://en.wikipedia.org in the address bar, the browser refused to open it and displayed error page with message that something is wrong with certificate (I do not remember what was the exact error message). I visited a few other sites and did not notice any problems, then restarted Firefox again and this time was able to open https://en.wikipedia.org. The certificate was issued by DigiCert. I thought that if Wikipedia's CA changed then there must be something about this on the web and googled a bit but did not find anything relevant.

I opened TBB and browsed Wikipedia in it for few minutes and the issuer was DigiCert. At some point I opened another tab and noticed the issuer was GlobalSign nv-ca again. Now I have TBB open with two tabs; clicking green lock sign in one tab shows Verified by: DigiCert Inc, and in another tab Verified by: GlobalSign nv-sa (see below for more differing details from these two tabs). I guess this might be due to changed exit relay.

I found this question which seems to be related somehow.

Can someone explain what might be going on? Did Wikipedia's CA change recently or is it changing currently? Is there something to worry about?

Details from the two tabs in TBB:

Tab 1:

Issued To
  Serial Number: 05:A9:5C:0D:34:A8:31:F3:7F:8A:5F:72:9C:C2:3C:74
Issued By
  CN: DigiCert SHA2 High Assurance Server CA
  O:  DigiCert Inc
  OU: www.digicert.com
Period of Validity
  Begins On    19 Dec 2016
  Expires On   3 Jan 2018
Fingerprints
  SHA-256: E8:04:B7:5C:F2:B5:0B:1F:41:EE:B1:BB:90:81:17:8D:86:86:3F:93:25:3D:10:0D:85:8D:FB:3D:51:20:B8:6B
  SHA1:    1B:27:6F:BE:CD:10:49:C8:F2:F1:72:C8:40:99:D2:19:25:78:B9:9C
Certificate Hierarchy:
  DigiCert High Assurance EV Root CA
    DigiCert SHA2 High Assurance Server CA
      *.wikipedia.org

Tab 2:

Issued To
  Serial Number: 10:E6:FC:62:B7:41:8A:D5:00:5E:45:B6
Issued By
  CN: GlobalSign Organization Validation CA - SHA256 - G2
  O:  GlobalSign nv-sa
  OU: <Not Part Of Certificate>
Period of Validity
  Begins On:  21 Nov 2016
  Expires On: 22 Nov 2017
Fingerprints:
  SHA-256: 05:7A:A6:B4:58:FD:66:B7:F1:A0:72:2B:2E:0C:9E:08:BE:A1:76:6C:77:85:43:C0:99:01:7F:61:FF:65:7F:7E
  SHA1:    58:66:84:EF:77:3E:A0:B8:5F:23:38:73:CB:46:10:E8:D0:E0:8C:B3
Certificate Hierarchy:
  GlobalSign
    GlobalSign Organization Validation CA - SHA256 - G2
      *.wikipedia.org
guest231321547
  • 53
  • 4
  • 2
    See also [Certificate Patrol](https://addons.mozilla.org/en-US/firefox/addon/certificate-patrol/), an (unmaintained, it appears) Firefox extension that aims to reveal these kinds of changes. – Xiong Chiamiov Jan 06 '17 at 00:33

1 Answers1

8

There is an ongoing task at Wikimedia to use two separate CAs:

This was originally on our long-term radar as part of the (forever-stalled and in-discussion!) [H]PKP ticket: T92002 . The recent GlobalSign issue has highlighted the need to break this out as a higher-priority action we should take on independently of that.

We need to obtain our "unified" cert from two vendors with the same SAN set, in both ECC and RSA forms. Ideally the annual renewal time for each should be at least slightly offset (~1 month?). We'll puppetize the deployment of both keys to all of the cache clusters, including live OCSP staple fetching for both from everywhere.

We'll puppetize such that VendorA's certs are live in one set of datacenters and VendorB's are live in another under normal conditions. With both in active use, we'll be ensured they're both normally working properly on fine details like browser compatibility, OCSP, PKP, etc. By splitting on regions (rather than other arbitrary splits), we avoid issues with individual clients commonly bouncing between two disparate certs and the effect that may have on performance-related issues.

On January 5th (today), a change rolled out to use both certs in normal circumstances:

These are now deployed (digicert in esams, globalsign elsewhere). Pending closing this until we document switching off either of the certs...

So in summary: yes, this is expected and not indicative of a problem.

Xiong Chiamiov
  • 9,384
  • 2
  • 34
  • 76