Action Required: Root CA change for Symantec VIP SSL certificates
search cancel

Action Required: Root CA change for Symantec VIP SSL certificates

book

Article ID: 272572

calendar_today

Updated On:

Products

VIP Service

Issue/Introduction

Broadcom will be reissuing VIP SSL certificates from the DigiCert Global Root G2 CA. 

PHASE 1: VIP HTTP browser URLs (May 2025)

PHASE 2: VIP API endpoints (July 2025)

This article provides guidance for avoiding a service interruption after the change.

Resolution

What will be the hierarchy of the new SSL cert chain?

DigiCert Global Root G2
 └DigiCert Global G2 TLS RSA SHA256 2020 CA1
    └SSL certificate

When will the change happen?

  • Phase 1: May 2025 (exact date and time will be posted once available)
  • Phase 2: July 2025 (exact date and time will be posted once available)

What VIP components are affected, and what action is required?

PHASE 1 (May 2025)

PHASE 2 (July 2025)

  • VIP Services Applications with Cert Pinning: Certificate pinning restricts which certificates are available to a web service. Organizations using certificate pinning must update the pinning hierarchy to include and trust the DigiCert Global Root G2 CA (cert information below). 
  • VIP Web Services: Application servers that connect to VIP Web Service API endpoints must trust the DigiCert Global Root G2 CA certificate (cert information below).
  • VIP Enterprise Gateway: VIP Enterprise Gateway 9.10.x and older is affected. Click here for mandatory instructions.
  • VIP Integrations: VIP integrations for Apache, IIS, and AD FS are affected. Click here for mandatory instructions.

Are VIP certificates from VIP Manager affected?

No. VIP certificates from your VIP Manager tenant are not affected do not need to be reissued. 

Can I test if this change affects my VIP Service?

A test URL will soon be available to test a VIP endpoint from an exact runtime of your production application (same keystore, trust store, operating system, and so on). The URL will be shared here.

  • If you receive an expected response of HTTP 200 or HTTP 400, you are not affected. No further action is necessary. 
  • If you receive SSL handshake or secure connection failed errors when connecting to the test endpoint, you are affected and must add the root and intermediate CA certificates before VIP renews the SSL certificates.

Note: VIP Enterprise Gateway URLs cannot be modified for testing. 

DigiCert Global Root G2 information