Action Required: Root CA change for Symantec VIP SSL certificates
Article ID: 272572
Updated On:
Products
Issue/Introduction
Broadcom will be reissuing VIP SSL certificates from the DigiCert Global Root G2 CA.
PHASE 1: VIP HTTP browser URLs (May 30, 2025)
- manager.vip.symantec.com
- ssp.vip.symantec.com
- login.vip.symantec.com
- my.vip.symantec.com
PHASE 2: VIP API endpoints (Late 2025 - TBD)
- services-auth.vip.symantec.com
- services.vip.symantec.com
- userservices.vip.symantec.com
- userservices-auth.vip.symantec.com
- messaging.vip.symantec.com
- goidservices-auth.vip.symantec.com
This article provides guidance for avoiding a service interruption after the change.
Resolution
What will be the hierarchy of the new SSL cert chain?
DigiCert Global Root G2
└DigiCert Global G2 TLS RSA SHA256 2020 CA1
└SSL certificate
When will the change happen?
- Phase 1: May 30, 2025
- Phase 2: Late 2025 - TBD
What VIP components are affected, and what action is required?
PHASE 1 (May 2025)
- VIP Manager, VIP Login and common browsers: The DigiCert Global Root G2 is compatible with all modern browsers and platforms. Click here: Minimum version requirement for each browser and platform to be compatible with DigiCert Global Root G2 Certificate.
PHASE 2 (Late 2025 - TBD)
- VIP Services Applications with Cert Pinning: Certificate pinning restricts which certificates are available to a web service. Organizations using certificate pinning must update the pinning hierarchy to include and trust the DigiCert Global Root G2 CA (cert information below).
- VIP Web Services: Application servers that connect to VIP Web Service API endpoints must trust the DigiCert Global Root G2 CA certificate (cert information below).
- VIP Enterprise Gateway: VIP Enterprise Gateway 9.10.x and older is affected. Click here for mandatory instructions.
- VIP Integrations: VIP integrations for Apache, IIS, and AD FS are affected. Click here for mandatory instructions.
Are VIP certificates from VIP Manager affected?
No. VIP certificates from your VIP Manager tenant are not affected do not need to be reissued.
Can I test if this change affects my VIP Service?
Testing your browser for phase 1: Open https://vip.symantec.com/ from any browser. If
Testing your application for phase 2: Connect to https://vip.symantec.com/ from an exact runtime of your production application (same VIP certificate, keystore, trust store, operating system, and so on). Confirm that your application trusts the SSL cert chain hierarchy. (A successful HTTP 200 connection will respond with HTML content - this is expected and can be ignored). No actual VIP transaction can be processed with this URL.
SSL handshake or 'secure connection failed' errors indicate a non-trusted connection - refer to your application vendor to import the certs and establish trust. In many cases, SSL updates require a server reboot.
Testing the VIP Enterprise Gateway: Click here
DigiCert Global Root G2 information
- Root: DigiCert Global Root G2
PEM: https://cacerts.digicert.com/DigiCertGlobalRootG2.crt.pem
CRT: https://cacerts.digicert.com/DigiCertGlobalRootG2.crt
- Intermediate: DigiCert Global G2 TLS RSA SHA256 2020 CA1
PEM: https://cacerts.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-1.crt.pem
CRT: https://cacerts.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-1.crt
Feedback
