Lenovo Replacing Distrusted GeoTrust Certificates With New DigiCert Certificates - US

Type lenovo
Reporter Lenovo
Modified 2018-09-20T18:46:17


Lenovo Security Advisory: LEN-24497

Scope of Impact: Industry-wide. Anyone using a GeoTrust certificate will need to update to DigiCert. Major browsers will stop trusting GeoTrust certificates as early as October.

Summary Description: Many Lenovo sites use PKI certificates issued by the GeoTrust Certificate Authority (CA). Well-documented shortcomings in GeoTrust's processes have led to the industry losing trust in this CA, and thus "distrusting" or disabling GeoTrust certificates. As a result, Lenovo is replacing all GeoTrust certificates with new ones issued by DigiCert. This will happen on September 21, 2018.

Many Lenovo support applications use HTTPS to communicate securely with Lenovo sites and some IBM sites. Each application must be updated to begin trusting the new DigiCert CA and certificates.

Mitigation Strategy for Customers (what you should do to protect yourself): Upgrade to the application version (or newer) for each product described in the Product Impact section below. Note that downlevel applications are not vulnerable because of this — rather the application "Functions Impacted" listed in the table will stop working on the given "Cutover Date".