URGENT: Required DigiCert G2 Root CA upgrade for VIP Enterprise Gateway and VIP integrations for AD FS, IIS and Apache
search cancel

URGENT: Required DigiCert G2 Root CA upgrade for VIP Enterprise Gateway and VIP integrations for AD FS, IIS and Apache

book

Article ID: 278868

calendar_today

Updated On:

Products

VIP Service

Issue/Introduction

On October 9, 2025 @ 12:30PM UTC (5:30 PM PDT), Broadcom will reissue SSL certificates for VIP endpoints from the DigiCert Global Root G2 CA. Click here for more information.

The following components are affected by this change. 

  • VIP Enterprise Gateway 9.10x and older
  • VIP Integration for AD FS (Active Directory Federation Services)
  • VIP Integration for Apache
  • VIP Integration for IIS

Action is required to avoid a service disruption.

Cause

 

Resolution

What is happening?

On October 9, 2025 @ 12:30PM UTC (5:30 PM PDT), Symantec VIP will be reissuing SSL certificates from the DigiCert Global Root G2 CA.  

What action is required?

  • VIP Integration module for AD FS: Download Active_Directory_Federation_Services.zip from VIP Manager and follow Update Instructions here
  • VIP Integration module for Microsoft IIS: Download Internet_Information_Services.zip from VIP Manager and refer to instructions here
  • VIP Integration module for Apache: Download Apache.zip ) from VIP Manager and refer to instructions here
  • VIP Enterprise Gateway:
VIP EG Version: Compliant? Action:
9.11 or later Yes No action is required. The new G2 root CA chain is included. 
9.10.x No Install the G2 Import Tool (attached) on the VIP EG server to inject the certificate chain into the root store. 
9.9.2 No 9.9.2 support ended on 31 Jan 2025 - upgrade to 9.11.
Note: The G2 Import Tool (attached) can be installed on 9.9.x until the server can be upgraded.
9.9.1, 9.9.0, 9.8.x and older

No

 Upgrade to version 9.11. (Or, upgrade to 9.10.3 and install the G2 Import Tool (attached)). (See: VIP Enterprise Gateway installation and upgrade guides).

 

VIP Enterprise Gateway G2 Import Tool Instructions:

  1. Download and unzip the attached VIP_EG_G2Support.zip to a temp location.
  2. Open an administrator command prompt/shell and navigate to the extracted location of the VIP_EG_G2Support.zip.
    • Windows:
      • VIP EG 9.9.x, type: 
        set "VRSN_MAUTH_HOME=C:\Program Files (x86)\Symantec\VIP_Enterprise_Gateway"
      • VIP EG 9.10.x, type:
        set "VRSN_MAUTH_HOME=C:\Program Files\Symantec\VIP_Enterprise_Gateway"
      • Type g2support.bat and press enter 

    • Linux:
      • Type export VRSN_MAUTH_HOME=<VIP_EG_Install_ Directory> and press enter
      • Type g2support.sh and press enter 
  3. The script may take a few minutes to run. You may see a warning message "WARNING: Runtime environment or build system does not support multi-release JARs. This will impact location-based features."
  4. The message "Changes to certificate Store(s) saved successfully" indicates the script is complete.

**Note: A restart of all VIP Enterprise Gateway services is required after importing the Digicert Global Root G2 CA certificate using this utility for the services to register this change.

 

Verifying the DigiCert G2 Root CA chain from the VIP Enterprise Gateway:

OPTION 1: USE KEYTOOL TO VERIFY THE ROOT CA WAS ADDED:

  • From an administrator command prompt, navigate to <VIP_EG_install_location>\jvm\bin
  • VIP EG 10.x and later:  type 
    keytool -printcert -file "C:/Program Files/Symantec/VIP_Enterprise_Gateway/conf/root.pem" >C:\certs.txt
    VIP EG 9.9.x: type 
    keytool -printcert -file "C:/Program Files (x86)/Symantec/VIP_Enterprise_Gateway/conf/root.pem" >C:\certs.txt
  • View the contents of the C:\certs.txt file and search for the line CN=DigiCert Global Root G2.

OPTION 2: USE OPENSSL TO VERIFY THE ROOT CA CHAIN:

  • From an administrator command prompt, navigate to <VIP_EG_install_location>tools

  • Windows: Open an administrative command prompt and navigate to <VIPEG_install>\tools and run this command:

    • VIP EG 10.x and later: openssl s_client -connect vip.symantec.com:443 -CAfile "C:\Program Files\Symantec\VIP_Enterprise_Gateway\conf\root.pem"

    • VIP EG 9.9.x: openssl s_client -connect vip.symantec.com:443 -CAfile "C:\Program Files (x86)\Symantec\VIP_Enterprise_Gateway\conf\root.pem"

  • Linux: From /conf directory, run the command: openssl s_client -connect vip.symantec.com:443 -CAfile ./root.pem

  • 9.9.x, 9.10.x (patch applied) and 9.11.x success message: "Verify return code: 0 (ok)"
  • Patch NOT applied successfully failure message: "Verify return code: 20 (unable to get local issuer certificate)"

 



Additional Information

test

Attachments

VIP_EG_G2Support.zip get_app
Powered by Wolken Software