Action Required: Root CA change for Symantec VIP SSL certificates

search cancel

Action Required: Root CA change for Symantec VIP SSL certificates

book

Article ID: 272572

calendar_today

Updated On: 04-08-2025

Products

VIP Service

Issue/Introduction

Broadcom will be reissuing VIP SSL certificates from the DigiCert Global Root G2 CA.

PHASE 1: VIP HTTP browser URLs (May 2025)

manager.vip.symantec.com
ssp.vip.symantec.com
login.vip.symantec.com
my.vip.symantec.com

PHASE 2: VIP API endpoints (July 2025)

services-auth.vip.symantec.com
services.vip.symantec.com
userservices.vip.symantec.com
userservices-auth.vip.symantec.com
messaging.vip.symantec.com
goidservices-auth.vip.symantec.com

This article provides guidance for avoiding a service interruption after the change.

Resolution

What will be the hierarchy of the new SSL cert chain?

DigiCert Global Root G2
└DigiCert Global G2 TLS RSA SHA256 2020 CA1
└SSL certificate

When will the change happen?

Phase 1: May 2025 (exact date and time will be posted once available)
Phase 2: July 2025 (exact date and time will be posted once available)

What VIP components are affected, and what action is required?

PHASE 1 (May 2025)

VIP Manager, VIP Login and common browsers: The DigiCert Global Root G2 is compatible with all modern browsers and platforms. Click here: Minimum version requirement for each browser and platform to be compatible with DigiCert Global Root G2 Certificate.

PHASE 2 (July 2025)

VIP Services Applications with Cert Pinning: Certificate pinning restricts which certificates are available to a web service. Organizations using certificate pinning must update the pinning hierarchy to include and trust the DigiCert Global Root G2 CA (cert information below).
VIP Web Services: Application servers that connect to VIP Web Service API endpoints must trust the DigiCert Global Root G2 CA certificate (cert information below).
VIP Enterprise Gateway: VIP Enterprise Gateway 9.10.x and older is affected. Click here for mandatory instructions.
VIP Integrations: VIP integrations for Apache, IIS, and AD FS are affected. Click here for mandatory instructions.

Are VIP certificates from VIP Manager affected?

No. VIP certificates from your VIP Manager tenant are not affected do not need to be reissued.

Can I test if this change affects my VIP Service?

Testing your application: Connect to https://newca.vip.symantec.com/ from an exact runtime of your production application (same VIP certificate, keystore, trust store, operating system, and so on). Confirm that your application trusts the SSL cert chain hierarchy. (Actual transactions will fail with HTTP 502: Bad Gateway, as expected). SSL handshake or 'secure connection failed' errors indicate a non-trusted connection - refer to your application vendor to import the certs and establish trust. In many cases, SSL updates require a server reboot.

Testing the VIP Enterprise Gateway: URLs cannot be modified for testing.

DigiCert Global Root G2 information

Root: DigiCert Global Root G2

PEM: https://cacerts.digicert.com/DigiCertGlobalRootG2.crt.pem

CRT: https://cacerts.digicert.com/DigiCertGlobalRootG2.crt
Intermediate: DigiCert Global G2 TLS RSA SHA256 2020 CA1

PEM: https://cacerts.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-1.crt.pem

CRT: https://cacerts.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-1.crt

Feedback

Was this article helpful?

thumb_up Yes

thumb_down No