Action Required: Root CA change for Symantec VIP Service SSL certificates
search cancel

Action Required: Root CA change for Symantec VIP Service SSL certificates

book

Article ID: 272572

calendar_today

Updated On:

Products

VIP Service

Issue/Introduction

In the fall of 2024, Symantec VIP will renew the SSL certificates for the following endpoints. 

  • https://services-auth.vip.symantec.com
  • https://services.vip.symantec.com
  • https://userservices.vip.symantec.com
  • https://userservices-auth.vip.symantec.com
  • https://messaging.vip.symantec.com
  • https://goidservices-auth.vip.symantec.com

The certs currently chain to the DigiCert Global Root G1 CA. The new SSL certificates will be issued by the DigiCert Global Root G2 CA. 

Resolution

When will the change happen?

The targeted time frame is fall 2024. Prepare to implement any required changes to your environment before this target date.

Are VIP certificates from VIP Manager affected?

No. VIP certificates generated and downloaded from your VIP Manager tenant are not affected. No action is necessary.  

Are my VIP components affected?

  • VIP Services Applications with Cert Pinning: Certificate pinning restricts which certificates are available to a web service. Organizations using certificate pinning must update the pinning hierarchy to include and trust the DigiCert Global Root G2 CA. 
  • VIP Web Services: All application servers that connect to VIP Web Services API endpoints must trust the DigiCert Global Root G2 CA certificate.
  • VIP Enterprise Gateway: VIP Enterprise Gateway 9.11 is not affected. Click here for mandatory instructions is running VIP EG 9.10 or older.
  • VIP Integrations: No VIP Integrations are affected.
  • VIP Manager: The VIP Manager URL and VIP certificates through VIP Manager are not affected.  Reissuing VIP certificates is not necessary.
  • VIP Login and common browsers: Updated browsers trust the DigiCert Global Root G2 CA. 

How do I check if this change affects my VIP Service?

A test URL will soon be available to test the VIP endpoint from an exact runtime of your production application (same keystore, trust store, operating system, and so on). The URL will be shared here.

  • If you receive an expected response of HTTP 200 or HTTP 400, you are not affected. No further action is necessary. 
  • If you receive SSL handshake or secure connection failed errors when connecting to the test endpoint, you are affected and must add the root and intermediate CA certificates before VIP renews the SSL certificates.

VIP Enterprise Gateway URLs cannot be modified for testing. Click here for mandatory instructions.

What action should I take?

- VIP Enterprise Gateway: click here for mandatory instructions.

- For other applications, if you determine that you are affected by this change, download and install the DigiCert Global Root G2 root CA and DigiCert Global G2 TLS RSA SHA256 2020 CA1 intermediate CA certificates to the trust stores used by your application. Download the .pem or .crt version depending upon which format you use.