Required DigiCert G2 Root CA upgrade for VIP Enterprise Gateway and VIP integrations for AD FS, IIS and Apache

VIP Service

In July 2025, Broadcom will reissue SSL certificates for VIP endpoints from the DigiCert Global Root G2 CA. Click here for more information.

The following components are affected by this change.

Action is required before July 2025 to avoid a service disruption.

In July 2025, Symantec VIP will be reissuing SSL certificates from the DigiCert Global Root G2 CA. The exact date\time will be updated to this page soon.

VIP Integration module for AD FS: Download Active_Directory_Federation_Services.zip from VIP Manager and follow upgrade instructions here.
VIP Integration module for Microsoft IIS: Download Internet_Information_Services.zip from VIP Manager and refer to instructions here.
VIP Integration module for Apache: Download Apache.zip ) from VIP Manager and refer to instructions here.
VIP Enterprise Gateway:

VIP EG Version:	Compliant?	Action:
9.11 or later	Yes	No action is required. The new G2 root CA chain is included.
9.10.x	No	Install the G2 Import Tool (attached) on the VIP EG server to inject the certificate chain into the root store.
9.9.2	No	9.9.2 support ended on 31 Jan 2025 - upgrade to 9.11. Note: The G2 Import Tool (attached) can be installed on 9.9.2 until the server can be upgraded.
9.9.1, 9.9.0, 9.8.x and older	No	Upgrade to version 9.11. (Or, upgrade to 9.10.3 and install the G2 Import Tool (attached)). (See: VIP Enterprise Gateway installation and upgrade guides).

Download and unzip the attached VIP_EG_G2Support.zip to a temp location.
Open an administrator command prompt/shell and navigate to the extracted location of the VIP_EG_G2Support.zip.

Windows:

VIP EG 9.9.x, type:

set "VRSN_MAUTH_HOME=C:\Program Files (x86)\Symantec\VIP_Enterprise_Gateway"

VIP EG 9.10.x, type:

set "VRSN_MAUTH_HOME=C:\Program Files\Symantec\VIP_Enterprise_Gateway"

Linux:
- Type export VRSN_MAUTH_HOME=<VIP_EG_Install_ Directory> and press enter
- Type g2support.sh and press enter
The script may take a few minutes to run. You may see a warning message "WARNING: Runtime environment or build system does not support multi-release JARs. This will impact location-based features."
The message "Changes to certificate Store(s) saved successfully" indicates the script is complete.

From an administrator command prompt, navigate to <VIP_EG_install_location>\jvm\bin.
VIP EG 10.x and later: type keytool -printcert -file "C:\Program Files\Symantec\VIP_Enterprise_Gateway\confoot.pem" >C:\certs.txt (adjust the path, if necessary)
VIP EG 9.9.2: type keytool -printcert -file "C:\Program Files (x86)\Symantec\VIP_Enterprise_Gateway\confoot.pem" >C:\certs.txt (adjust the path, if necessary)
View the contents of the C:\certs.txt file and search for the line CN=DigiCert Global Root G2.

SSL connection test (Windows):

Open an administrative command prompt and navigate to <VIPEG_install>\tools. Run this command: openssl s_client -connect newca.vip.symantec.com:443 -CAfile "C:\Program Files\Symantec\VIP_Enterprise_Gateway\confoot.pem"
9.10.1 (unpatched) and lower - expected failure: "Verify return code: 20 (unable to get local issuer certificate)"
9.9.2 patched, 9.10.2 patched and 9.11.x - expected success: "Verify return code: 0 (ok)"

SSL connection test (Linux):

From /conf directory, run the command: openssl s_client -connect newca.vip.symantec.com:443 -CAfile ./root.pem
9.10.1 (unpatched) and lower - expected failure: "Verify return code: 20 (unable to get local issuer certificate)"
9.9.2 patched, 9.10.2 patched and 9.11.x - expected success: "Verify return code: 0 (ok)"

VIP_EG_G2Support.zip get_app