Production Certificate Upgrades begin May 27 2015

by Administrator Administrator on ‎04-24-2015 10:11 AM - last edited on ‎05-28-2015 04:02 PM by Moderator Moderator (76,222 Views)

Update #4: Updated the required certificate list for clarity.

 

Update #3: Planned upgrades will be delayed one day to May 27, 2015.

 

Update #2: The EnTrust links have been updated below.

 

Update #1: Those having difficulty locating the EnTrust L1K root certificate may find it in EnTrust's knowledge base, at http://www.entrust.net/knowledge-base/technote.cfm​?tn=8863.

 

Also, as a point of clarification: While our new domain certificates will be signed using SHA-256, the CA root certificates may use a different hash to sign themselves. The root certificates, and the chain certificates mentioned below, do not require SHA-256 signing for them to be used by your solution.

 



As part of ongoing improvements to Authorize.Net’s infrastructure, we will be upgrading our certificates so that they are signed using Security Hash Algorithm 2 (SHA-2). Specifically, we are upgrading our API services to use EnTrust’s SHA-256, 2048-bit certificate. These changes will go out on May 27th, starting with secure.authorize.net.

 

In the coming months, we will be using multiple certificates from different Certificate Authorities, and we recommend installing these certificates—which also use SHA-256 and have 2048-bit signatures—in preparation for that change.

 

Please contact your solution provider and web hosting company to ensure your solution has these certificates installed and is capable of using them to secure your connection to Authorize.Net. In many cases the certificates may already be installed.

 

We will potentially utilize certificates from three vendors: Entrust, GeoTrust, and CyberTrust. The required root certificates from each vendor are defined below along with a link to their official download URL.

 

Entrust

http://www.entrust.net/developer/

Certificate NameCertificate Thumbprint (SHA-1)
Entrust.net Secure Server Certification Authority 99A6 9BE6 1AFE 886B 4D2B 8200 7CB8 54FC 317E 1539
Entrust.net Certification Authority (2048) 5030 0609 1D97 D4F5 AE39 F7CB E792 7D7D 652D 3431
Entrust Root Certification Authority B31E B1B7 40E3 6C84 02DA DC37 D44D F5D4 6749 52F9

 

GeoTrust

https://www.geotrust.com/resources/root-certificates/

Certificate NameCertificate Thumbprint (SHA-1)
GeoTrust Global CA DE28 F4A4 FFE5 B92F A3C5 03D1 A349 A7F9 962A 8212

 

CyberTrust

https://cacert.omniroot.com/bc2025.crt

Certificate NameCertificate Thumbprint (SHA-1)
Baltimore CyberTrust Root D4DE 20D0 5E66 FC53 FE1A 5088 2C78 DB28 52CA E474

 

 

We have also provided chain certificate details and thumbprints for those who require them. These chain certificates are not required for validation in most circumstances and should only be necessary if explicitly requested by your developer:

Certificate NameIssuerCertificate Thumbprint (SHA-1)
Verizon Akamai SureServer CA G14-SHA2 Baltimore CyberTrust Root 6AD2 B04E 2196 E48B F685 7528 90E8 11CD 2ED6 0606
Entrust Certification Authority – L1K Entrust Inc CCA2 7D33 C735 A7D0 6D1F ECAD 980E 498D A681 C963
Entrust Root Certification Authority – G2 Entrust Inc 8CF4 27FD 790C 3AD1 6606 8DE8 1E57 EFBB 9322 72D4
GeoTrust SSL CA - G4 GeoTrust Global CA, GeoTrust Inc DE28 F4A4 FFE5 B92F A3C5 03D1 A349 A7F9 962A 8212

 

The upgrade to SHA-2 conforms to a change among server and browser manufacturers to deprecate use of SHA-1: 

  • Microsoft announced in late 2013 that they would no longer accept SHA-1 signed certificates which expire after January 1, 2017:
  • In September 2014 Google announced that the Chrome browser would gradually depreciate SHA-1 support, and would also reject SHA-1 signed certificates which expire after January 1, 2017. In addition, SHA-1 signed certificates which expire in 2016 would be flagged as secure but with errors.
  • Also in September 2014, Mozilla announced that they would also reject SHA-1 signed certificates that expire after January 1, 2017. Mozilla is the basis of a family of browsers, the most well-known being Mozilla Firefox.

While most modern operating systems and web servers support SHA-2, there is a concern that older software—especially software based on outdated versions of Java—may not adequately support SHA-2.  Our sandbox environment has already been updated so you can validate that your solution will continue to work using SHA-2 signed certificates, prior to May 27th. 

 

After the update is complete, any software that cannot validate an SHA-2 signed certificate will fail to connect to Authorize.Net servers.

Comments
by Administrator Administrator
‎04-24-2015 01:07 PM - edited ‎06-12-2015 03:02 PM

Join us in the Integration and Testing forum for further questions:  

 

https://community.developer.authorize.net/t5/Integration-and-Testing/bd-p/Integration01 

by Moderator Moderator
on ‎05-06-2015 03:46 PM

As a follow-up, those having difficulties finding the EnTrust L1K certificate may download it here:

http://www.entrust.net/knowledge-base/technote.cfm?tn=8863

 

by Moderator Moderator
on ‎05-08-2015 02:05 PM

As a second follow-up: While our security domain certificates will support SHA-256, the root CA certificates may be SHA-1. Installing the root CA certificates will ensure your solution will handle our new domain certificates properly, regardless of the hashing algorithm used to sign the root CA certificate.

by Administrator Administrator
on ‎05-26-2015 07:11 PM

Production upgrades are now scheduled to occur tomorrow evening May 27th.

 

Richard