Ask a Question

Advanced Search

Alert ID : GN060618204956

Last Modified : 06/12/2018

Symantec Managed PKI Web Services: FAQ for DigiCert Hierarchy Migration and Test Instructions

Description

Symantec Managed PKI Web Services: SHA2 Migration FAQ and Test Instructions

Description

(Continued from https://knowledge.digicert.com/generalinformation/symantec-managed-pki-web-services--migration-to-digicert-tls-cer.html)

 

Will Symantec PKI Web Services be interrupted during the migration?

No. As a migration is performed on one node, traffic will be re-directed and balanced across other nodes, and repeated until the migration is complete.
 

Is my organization affected by this migration?


In the Symantec PKI 8 Manager, check the enrollment method of the certificate profile you created. A Microsoft Authoenrollment and/or PKI Web Services profile will show as the enrollment method, and affected by this migration:


All non-auth services will be migrated to DigiCert hierarchy same time, such as the SSP and enrollment pages, please take an action similar to adding CA if trust store doesn’t have DigiCert Root CA.
 

We use an MDM and\or a LKMS to manage certificates on devices. Do we need to make any changes?

The DigiCert High Assurance EV Root CA must be present in the root store. . Refer to: https://knowledge.digicert.com/generalinformation/symantec-managed-pki-web-services--migration-to-digicert-tls-cer.html

 

Do our end-users need to take any action?

No updates are required from your end-users. End user’s browser already has DigiCert Root CA, no need to take an action. If your customer use custom browser or device, please contact our support to understand what we need. 
This Web Service API site is called with your client with RA Certificate, no end user browser or device call this Web service site directory.

 

What will the new G5 cert chain look like?

Certificate

Algorithm

Note

DigiCert High Assurance EV Root CA

 

Sha1

 

DigiCert SHA2 Extended Validation Server CA

Sha256RSA

 

pki-ws.symauth.com

Sha256RSA

 

 

How do I test a SHA-2 end-point using the G5 root CA before the migration?

DigiCert has created live, SHA2 end-points for testing purposes by June 19th.  These URLs chain to the DigiCert root CA that will be used after the migration. DigiCert recommends using Symantec mPKI components version 8.17 or later.

 

mPKI 8: https://pki-ws-test.symauth.com/

mPKI 7 Pilot: https://pilot-pkiservices-test.verisign.com

mPKI 7 Production: https://pkiservices-test.verisign.com

 

Please perform the getPolicy operation to test SHA-2 connectivity between June 19th and July 24th.

 

mPKI 7:

Download and unzip Managed PKI Web Services 1.0.3 from the Download>Software>Software and Toolkits section of Managed PKI Control Center to your environment where the runtime environment is installed. Documentation (PKIWebSrv.pdf) is included in download. PKI WS Java Utility is available under mpki7_webservices_1_0_3\tools\clientApp.

It is not necessary to obtain a new RA certificate to perform SHA2 SSL testing. The existing RA should be used.

If you don’t already have the java key stores created for your production account, create a Java key store with the production RA certificate by referring to “Obtaining Your Registration Authority Certificate” section  of the PDF to generate required java key stores.

To perform a getPolicy web service call, update the clientConfig.txt. policy file under pkiclient/sampleClient/tools/clientApp to include the following:

host=https://pkiservices-test.symauth.com

ssl.keystore=<Path to java key store containing the RA certificate>

ssl.keystorepass=<Password for above key store>

Make the call using the following command:  java -jar pkiwebserviceclient.jar -config <config file> -operation <operation> [-input <input file>]

The response on the console should be the same as when pointing to https://pki-ws.symauth.com.

If the connection is successful, a connection has been established using the DigiCert Root CA chain. https://pki-ws.symauth.com will use this same chain after July 24th and no further action is required.

If the connection is not successful and returns SSL/TLS handshake errors, adding DigiCert Root CA and look into check that all of the following apply, because EE and intermediate CA are SHA2,

 

Does my client runtime support the SHA2 signature algorithm?

Is my client runtime connecting with a cipher suite no longer supported by SHA2 certificate?

Is my client runtime connecting using TLS1.0 or 1.1 or 1.2, and not SSLv3?​

 

mPKI 8:

Download and unzip symantec-pki-webservices-1-17.4.zip from the Resources>Symantec PKI Web Services section of PKI Manager to your production environment where the Java Runtime (JRE) is installed to. Documentation is available under pkiclient/documentation/MPKIWebSrv.pdf. PKI WS Java Utility is available under pkiclient/sampleClient/tools/clientApp/pkiwebserviceclient.jar.

 

 

 

Please refer to chapter 3 "PKI Web Service Java Utility" of the MPKIWebSrv.pdf as a reference when performing this test. It is not necessary to obtain a new RA certificate to perform SHA2 SSL testing. The existing RA should be used.

If you don’t already have the java key stores created for your production account, create a Java key store with the production RA certificate by referring to “Obtaining a RA Certificate to Store in a Java Keystore File” section of the PDF to generate required java key stores.

To perform a getPolicy web service call, update the clientConfig.txt.onePolicy file under pkiclient/sampleClient/tools/clientApp to include the following:

 

host=https://pki-ws-test.symauth.com

ssl.keystore=<Path to java key store containing the RA certificate>

ssl.keystorepass=<Password for above key store>

getpolicy.policyOid=<Policy Oid. For ex : 2.16.840.1.113733.1.16.1.2.5.2.1.615619177>

Make the call using the following command:  java -jar pkiwebserviceclient.jar -config clientConfig.txt.onePolicy -operation getpolicy

The response on the console should be the same as when pointing to https://pki-ws.symauth.com.

If the connection is successful, a SHA-256 connection has been established using the DigiCert High Assurance EV Root CA chain. https://pki-ws.symauth.com will use this same chain after Phase 2 and no further action is required.

If the connection is not successful and returns SSL/TLS handshake errors, adding DigiCert Root CA and check that all of the following apply, because EE and intermediate CA are SHA2
 

Does my client runtime support the SHA2 signature algorithm?

Is my client runtime connecting with a cipher suite no longer supported by SHA2 certificate?

Is my client runtime connecting using TLS1.0 or 1.1 or 1.2, and not SSLv3?

Do you have a list of operating systems, browsers, and servers that support SHA-2 for SSL/TLS certificates?

For a list of operating systems, browsers, and servers that support SHA-2 for SSL/TLS certificates see  https://casecurity.org/wp-content/uploads/2014/09/SHA-256-Support-List.pdf

What changes are being made to the cipher suites?

No plan to change cipher suites.

All network communications from clients (web service clients and web browsers) to the mPKI Service’s servers use the SSL/TLS secure protocol, which supports multiple cryptographic algorithms (cipher suites).

When a client attempts to establish an SSL/TLS connection to a server, the client presents a list of the cipher suites it supports and the server picks a cipher suite on the list presented by the client. If the client does not support at least one cipher suite strong enough that the server will accept it, the client will be unable to establish a network connection to the server.

If you experience SSL/TLS handshake errors after following the test steps, contact DigiCert Technical Support

To contact technical support: https://www.websecurity.symantec.com/support/contact?id=contact-authentication-services

Collect the following data before contacting technical support:

Client runtime name and version (e.g. Java 1.7.0_31 or .NET 4.5)

If applicable client libraries used and its version (e.g. Axis 2.0)

Operating System name and version (e.g.: Windows 2012 Server R2)

SSL debug output logs captured in a file (e.g: In Java, SSL debug can be turned on by passing -Djavax.net.debug=ssl to client JVM)

 

Attachments