This article details the best practices for trust points and relevant configurations to implement SSL/TLS connections to the Symantec VIP service.
To connect to the Symantec VIP service, client applications must use the TLS protocol (v1.2 or v1.3) with mutual authentication. The server can be successfully authenticated by the client application if the client application includes the appropriate trust point from the server certificate chain into its Trusted CA certificate store.
Client Applications & Trust Points
Symantec VIP Services offer flexibility for clients connecting with our services backend. The clients that connect to VIP Services above are web applications, web services and XML gateway appliances implemented in Java, C, C++, .NET, PHP or other popular languages. These clients support the TLS protocol and should have the ability to configure a trusted certificate store.
When using certificate-based mutual authentication, the following actions occur.
- The VIP client initiates an HTTPS call.
- The server sends back the server certificate chain (SSL certificate and Intermediate CA) up to but not including the root certificate.
- The client verifies the server certificate with the trust points that are stored in its local trust store in this case, “DigiCert Global Root CA”.
- The client sends the server the VIP certificate.
- The server verifies the VIP certificate with the trust points, “VIP Authentication Service CA ”, that is stored in its local trust store.
- After the transmission is secured, the client is authenticated and allowed to access protected services.
Recommendation
The SSL server certificates for the Symantec VIP service are signed by the Root CA
“DigiCert Global Root CA”. Make certain that this root certificate is included in the trusted CA certificate store configured in client applications. Trusting this root certificate will ensure maximum compatibility with future SSL server certificate renewals/changes and thus help ensure continuous successful client connectivity to the VIP service. Symantec strongly requests that customer applications connecting to these services leverage the Root CA mentioned as the trust anchor and not the Intermediate CA as the Intermediate CAs are subject to change.
Conclusion
Symantec best practices ensure continuous connectivity to the Symantec VIP service backend is to leverage the Root CA as a trust point in client applications that need to establish a TLS connection.