Knowledge Base

Scenario

On August 30, 2021, the PKI Platform 8 will deprecate support for Transport Layer Security (TLS) 1.0 and 1.1.

What happens if I don't upgrade to TLS 1.2?

Any applications and services still using the TLS 1.0 and TLS 1.1 protocols to communicate with DigiCert using HTTPS will be unable to enroll, renew, search, or revoke certificates, including PKI Platform 8 on-premises components.

Solution 

To align with industry and security best practices and as part of DigiCert's continued effort to maintain a world-class PKI platform, PKI Platform 8 will deprecate support for Transport Layer Security (TLS) 1.0 and 1.1 on August 30, 2021.

What do I need to do?

DigiCert recommends updating dependent crypto libraries used by clients, such as Java and .Net, to a version that supports TLS 1.2.

PKI Enterprise Gateway

To enable support for TLS 1.2 with PKI Enterprise Gateway version 1.21.1 (or older release), you can modify the registry key or update the .Net Framework.

Note: PKI Enterprise Gateway version 1.22.1 and onwards makes use of TLS 1.2 by default.

Option 1: Modify the Registry Key

Step 1: Stop the Internet Information Server (IIS) instance hosting your RA service.

Step 2: If you use the optional Key Escrow and Recovery Service, stop the Tomcat Web Server hosting it.

Step 3: Add or modify the registry key entry.

Step 4: Start IIS instance hosting your RA Service.

Step 5: If you use the optional Key Escrow and Recovery Service, start the Tomcat Web Server hosting it.

Option 2: Update the .Net Framework

Step 1: Stop the Internet Information Server (IIS) instance hosting your RA service.

Step 2: If you are using the optional Key Escrow and Recovery Service, stop the Tomcat Web Server hosting it.

Step 3: Back up the RA Service’s web.config file and add targetFramework="4.7.1" to the httpRuntime tag.

Example of the entire httpRuntime configuration line

Step 4: Start IIS instance hosting your RA Service.

Step 5: If you use the optional Key Escrow and Recovery Service, start the Tomcat Web Server hosting it.

API Integrations

Ensure when communicating with DigiCert's endpoints, you enforce the use of TLS 1.2.

For API integrations with the PKI Platform 8 that use the SOAP or RESTful API interfaces using Java or Microsoft .Net Framework, verify that you are using the minimum required version.

Related articles

PKI Platform 8 Ending Support for TLS 1.0 and 1.1

If you have questions or concerns about making the transition to TLS 1.2 in time, contact your account manager or support team. We're here to help you.