Required SSL certificate upgrade for Symantec VIP Services API and VIP Enterprise Gateway
search cancel

Required SSL certificate upgrade for Symantec VIP Services API and VIP Enterprise Gateway

book

Article ID: 272572

calendar_today

Updated On:

Products

VIP Service

Issue/Introduction

In the fall of 2024, Symantec VIP will be renewing all SSL certificates. The new certificates will chain to the DigiCert Global Root G2 CA. The following VIP endpoints are affected:

  • https://services-auth.vip.symantec.com
  • https://services.vip.symantec.com
  • https://userservices.vip.symantec.com
  • https://userservices-auth.vip.symantec.com
  • https://messaging.vip.symantec.com
  • https://goidservices-auth.vip.symantec.com

(The current SSL certificates expire Thu, 24 Oct 2024, 23:59:59 UTC. The certs chain to the DigiCert Global Root G1 CA.)

Resolution

Target Date:

The targeted date for this change is fall 2024. Prepare now to implement any required changes to your environment before this target date.

FAQ:

Do I need to download new VIP certificates from my VIP Manager tenant?

No. VIP certificates generated and downloaded from your VIP Manager tenant will not be affected. No action is necessary.  

Are my VIP components affected?

  • VIP Services Applications with Cert Pinning: Certificate pinning is the process of associating a host with the expected certificate. Symantec recommends against certificate pinning. Organizations using certificate pinning to the DigiCert Global Root CA-chained certificates within their application should update the pinning hierarchy to trust the DigiCert Global Root G2 CA
    (See https://www.digicert.com/blog/certificate-pinning-what-is-certificate-pinning for more information about certificate pinning)
  • VIP Web Services: All application servers that connect to VIP Web Services API endpoints must trust the DigiCert Global Root G2 CA certificate.
  • VIP Enterprise Gateway: All VIP Enterprise Gateway versions before 9.11 are affected. Click here for mandatory instructions
  • VIP Integrations: No VIP Integrations are affected.
  • VIP Manager: The VIP Manager URL and VIP certificates through VIP Manager are not affected.  Reissuing VIP certificates is not necessary.
  • Browsers: All up-to-date browsers trust the DigiCert Global Root G2 CA.

How do I check if this change affects my VIP Service?

Access the test VIP endpoint from an exact runtime of your production application (same keystore, trust store, operating system, and so on). 

Test endpoint: https://digicert-newca-test.vip.symantec.com

  • If you receive an expected response of HTTP 200 or HTTP 400, you are not affected. No further action is necessary. 
  • If you receive SSL handshake or secure connection failed errors when connecting to the test endpoint, you are affected and must add the root and intermediate CA certificates before VIP renews the SSL certificates.

VIP Enterprise Gateway URLs cannot be modified for testing. Click here for mandatory instructions.

What action should I take?

- VIP Enterprise Gateway: click here for mandatory instructions.

- For other applications, if you determine that you are affected by this change, download and install the DigiCert Global Root G2 root CA and DigiCert Global G2 TLS RSA SHA256 2020 CA1 intermediate CA certificates to the trust stores used by your application. Download the .pem or .crt version depending upon which format you use. 

 

Powered by Wolken Software