Ask a Question

Advanced Search

Alert ID : GN060618204021

Last Modified : 06/12/2018

Symantec Managed PKI Web Services: Migration to DigiCert TLS Certificate

Description

What is happening?

DigiCert will be renewing TLS Cert on our Web Service server and we would like take this opportunity to move complete DigiCert hierarchy, we only change TLS cert hierarchy and not plan to change any FQDN/URL currently we use on symauth.com as DigiCert owned domain.

During this transition no impact for default of market standard environment running Web Service Client, if your organization have rule to remove unused trust anchor of TLS, we would like to ask you to add before our changes.

Production FQDN

Products

FQDN

MPKI 8.x Production

pki-ws.symauth.com

MPKI 7.x Production

pkiservices.symauth.com, (pkiservices.verisign.com)

MPKI 7.x Pilot

pilot-pkiservices.symauth.com, (pilot-pkiservices.verisign.com)


For MPKI7, we strongly ask you to move symauth.com FQDN. We will terminate support verisign.com FQDN later of this year.

For your testing before changing Production, we will provide test FQDN, you can test with below FQDN, please refer schedule on next section.

Test site FQDN

Products

FQDN

MPKI 8.x Production

pki-ws-test.symauth.com

MPKI 7.x Production

pkiservices-test.symauth.com

MPKI 7.x Pilot

pilot-pkiservices-test.symauth.com

 

We will use DigiCert EV Root CA as below.

CN = DigiCert High Assurance EV Root CA
OU = www.digicert.com|
O = DigiCert Inc
C = US

Serial : 02 ac 5c 26 6a 0b 40 9b 8f 0b 79 f2 ae 46 25 77

These URL end-points are used by developers to integrate Managed PKI certificate lifecycle tasks into their RA (Registration Authority) applications through the Symantec cloud. mPKI 8 Microsoft auto-enrollment server also used this URL to communication to Symantec. If your organization has implemented mPKI web service and\or mPKI 8 Microsoft Auth-enrollment, you are affected. Please refer to: https://knowledge.digicert.com/generalinformation/symantec-managed-pki-web-services--sha2-migration-faq-and-test-i.html


To minimize the impact of this migration, the migration process will happen in two phases:

Phase 1 (Completed by June 19th, 2018)

We will setup Test site of PKI Web Services that works existing environment SSL/TLS certificates will migrate to a new DigiCert SSL/TLS certificate that chains up to the DigiCert High Assurance EV Root CA. Every customer can test with this test site FQDN and make sure this works on your Web Service Client environment.

This test should be complete by July 24th, 2018.

 

Phase 2 (To be completed on July 24th,2018)

Production PKI Web Services SSL/TLS certificates will migrate to a new DigiCert SSL/TLS certificate that chains up to the DigiCert High Assurance EV Root CA.

 

What action should I take?

If you are affected, do the following:

 Verify the presence of the DigiCert High Assurance EV Root CA in the trusted root store on your server.
(Note: This CA has been trusted in default of Java version 1.4.2+.)

 Follow the test procedures found in https://knowledge.digicert.com/generalinformation/symantec-managed-pki-web-services--sha2-migration-faq-and-test-i.html to ensure connectivity.


How do I determine if the Root CA's are present in my root certificate store?

If PKI Web Services is functioning with test site, you are all set. If your environment doesn’t have the DigiCert High Assurance EV Root CA, this root required for Phase 1 testing, download here:

https://www.digicert.com/digicert-root-certificates.htm
<please click Download link for ‘DigiCert High Assurance EV Root CA’>

 

To verify the presence of the DigiCert High Assurance EV Root CA, check the certificate trust store:

For example, to check for the presence of this root:

 

If using a standard Java trust store, run the following command:

<JRE>/bin/keytool –v -list -keystore <file>

You should check Root CA signing algorithm with rsa2048bit SHA1, sample output would be below;

Alias name: digicerthighassuranceevrootca

Creation date: Apr 16, 2008

Entry type: trustedCertEntry

 

Owner: CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Issuer: CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Serial number: 2ac5c266a0b409b8f0b79f2ae462577

Valid from: Fri Nov 10 09:00:00 GMT+09:00 2006 until: Mon Nov 10 09:00:00 GMT+09:00 2031

Certificate fingerprints:

                MD5:  D4:74:DE:57:5C:39:B2:D3:9C:85:83:C5:C0:65:49:8A

                SHA1: 5F:B7:EE:06:33:E2:59:DB:AD:0C:4C:9A:E6:D3:8F:1A:61:C7:DC:25

                SHA256: 74:31:E5:F4:C3:C1:CE:46:90:77:4F:0B:61:E0:54:40:88:3B:A9:A0:1E:D0:0B:A6:AB:D7:80:6E:D3:B1:18:CF

                Signature algorithm name: SHA1withRSA

                Version: 3

 

If using a trust store other than Oracle or Java, refer to your trust store provider documentation for instructions on how to check for the presence of a certificate/CA.

If necessary, install the appropriate Root CA. Once completed successfully, no further action is necessary.

 

Note: If you are using the trust store available in the Symantec PKI Web Service client sample package you need to install DigiCert Root CA.

 

 

What if I have additional questions?

Refer to https://knowledge.digicert.com/generalinformation/symantec-managed-pki-web-services--sha2-migration-faq-and-test-i.html

Open a case with Symantec Technical Support: https://support.symantec.com/en_US/contact-support.html

 

Terms of use for this information are found in Legal Notices.