Action Required: Root CA change for Symantec VIP Service SSL certificates
Article ID: 272572
Updated On:
Products
Issue/Introduction
VIP SSL certificates for the following endpoints expire on 24 October 2024 and will be renewed for 6 months from the same CA (DigiCert Global Root G1 CA) key.
- https://services-auth.vip.symantec.com
- https://services.vip.symantec.com
- https://userservices.vip.symantec.com
- https://userservices-auth.vip.symantec.com
- https://messaging.vip.symantec.com
- https://goidservices-auth.vip.symantec.com
In spring 2025, the SSL certificates will be renewed and issued by the DigiCert Global Root G2 CA.
Resolution
When will the change happen?
The targeted time frame is spring 2025. Prepare to implement any required changes to your environment before this target date.
Are VIP certificates from VIP Manager affected?
No. VIP certificates generated and downloaded from your VIP Manager tenant are not affected. No action is necessary.
Are my VIP components affected?
- VIP Services Applications with Cert Pinning: Certificate pinning restricts which certificates are available to a web service. Organizations using certificate pinning must update the pinning hierarchy to include and trust the DigiCert Global Root G2 CA.
- VIP Web Services: All application servers that connect to VIP Web Services API endpoints must trust the DigiCert Global Root G2 CA certificate.
- VIP Enterprise Gateway: VIP Enterprise Gateway 9.11 is not affected. Click here for mandatory instructions is running VIP EG 9.10 or older.
- VIP Integrations: No VIP Integrations are affected.
- VIP Manager: The VIP Manager URL and VIP certificates through VIP Manager are not affected. Reissuing VIP certificates is not necessary.
- VIP Login and common browsers: Updated browsers trust the DigiCert Global Root G2 CA.
How do I check if this change affects my VIP Service?
A test URL will soon be available to test the VIP endpoint from an exact runtime of your production application (same keystore, trust store, operating system, and so on). The URL will be shared here.
- If you receive an expected response of HTTP 200 or HTTP 400, you are not affected. No further action is necessary.
- If you receive SSL handshake or secure connection failed errors when connecting to the test endpoint, you are affected and must add the root and intermediate CA certificates before VIP renews the SSL certificates.
VIP Enterprise Gateway URLs cannot be modified for testing. Click here for mandatory instructions.
What action should I take?
- VIP Enterprise Gateway: click here for mandatory instructions.
- For other applications, if you determine that you are affected by this change, download and install the DigiCert Global Root G2 root CA and DigiCert Global G2 TLS RSA SHA256 2020 CA1 intermediate CA certificates to the trust stores used by your application. Download the .pem or .crt version depending upon which format you use.
- Root: DigiCert Global Root G2
PEM: https://cacerts.digicert.com/DigiCertGlobalRootG2.crt.pem
CRT: https://cacerts.digicert.com/DigiCertGlobalRootG2.crt
- Intermediate: DigiCert Global G2 TLS RSA SHA256 2020 CA1
PEM: https://cacerts.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-1.crt.pem
CRT: https://cacerts.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-1.crt
Feedback
