AuthorizeNet
When will the cert.pem file be updated to reflect the Entrust to DigiCert SSL migration?
We are using this php sdk in our application, so we will be waiting for the updated file.
Thank you.
I've submitted a pull request with the latest cert.pem available: https://github.com/AuthorizeNet/sdk-php/pull/466
One thing I don't understand from the update notice: https://support.authorize.net/knowledgebase/Knowledgearticle/?code=KA-05545. It sounds like both the sandbox and production will switch at the same time, so how are you supposed to test it ahead of time? I checked and the sandbox still seems to have the Entrust cert (see below). But I can see that the new cert.pem has both the old entrust cert and new digicert cert.
> openssl s_client -connect apitest.authorize.net:443 -showcerts
CONNECTED(000001BC)
depth=2 C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2009 Entrust, Inc. - for authorized use only", CN = Entrust Root Certification Authority - G2
verify return:1
depth=1 C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2012 Entrust, Inc. - for authorized use only", CN = Entrust Certification Authority - L1K
verify return:1
depth=0 C = US, ST = California, L = Foster City, O = Authorize.Net, CN = *.authorize.net
verify return:1
A member of my team received this email from authorize.net's support:
Thank you for contacting Authorize.net. We appreciate your continued trust in our service. I'm here to assist you with your query about the DigiCert SSL Certificate Migration.
As your gateway bridge, ensuring the security and legitimacy of each card transaction and information is our top priority. We're transitioning our SSL/TLS certificates from Entrust to DigiCert due to
DigiCert's strong reputation for providing highly secure and reliable SSL certificates. DigiCert meets stringent industry standards and offers advanced security features, which are crucial for a payment gateway like Authorize.net.
If you utilize Authorize.net APIs and endpoint URLs on your website or application, you will need to update and integrate the newly issued Root and Intermediate (CA) SSL certificates from DigiCert before the scheduled revocation dates to avoid disruptions.
Regarding your concern about updating SDKs or making changes in the code, there's no need for any updates as this change only affects websites/payment systems using Authorize.net APIs and endpoint URLs.
To test before the certificate release date, you can use the Sandbox URLs: test.authorize.net or apitest.authorize.net.
For more detailed information, refer to our Knowledge Articles via Support.Authorize.net
- Entrust to DigiCert SSL Certificate Migration (Article number KA-05545)
- Where can I find the latest version of Authorize.net's server-level SSL certificates? (Article 000003009)
We hope this clarifies your query. If the information provided meets your needs, please close this Support Case. Otherwise, add an update to this Support Case with your follow-up questions so we can further assist you.
For more information, visit the Authorize.net Knowledge Base at https://support.authorize.net/, available 24x7.
For details regarding our privacy practices, visit the privacy page at Authorize.net.
This seems wrong. I want to make sure the SDK really is up to date or if we will need to manually add the certs before the 23rd/24th.
I tried their tech support earlier but it's just a bot, or someone blindly copying chatgpt answers.
The best I can figure, assuming the reference to Digicert Global Root G2 is correct, is that that root certificate is already in the cert.pem in the SDK and so should be fine when they switch the server certificate. PR #466 is an updated version of all the root certificates, but has the same Digicert Global Root G2, so the PR likely isn't required here, just it's nice to have a newer file than 2018.
I honestly don't understand why they haven't planned to switch the server certificate in the sandbox earlier than the live servers so that everyone can verify their integration in the sandbox first.
Have anyone seen the certificate attached in the updated article "Where can I find the latest version of Authorize.nets server-level SSL certificates?" ?
@demeritcowboy Do you think the certificate needs to be updated with this again?
It's the same cert that's already in the current file.
For the Root DigiCert Certificate yes, but the Intermediate DigiCert Certificate seems to be different.
@demeritcowboy so if we apply the pull you listed above with the updated cert.pem we should be good right? I'm flabbergasted as to why there is no sandbox test period :(
@gellieann The intermediate certs don't go in the root file. You usually only need to do something with intermediate certs if you have some kind of specialized integration that needs it.
@bearinaustin At the moment I don't think anybody needs to do anything since the old file already has the root cert for the new server cert. I didn't notice that when I first made the PR, so the updated cert.pem is just a nice-to-have.
If I read the KB article correctly, it does not seem that any of the Accept CDN / API endpoints are affected though that seems odd to me? https://support.authorize.net/knowledgebase/Knowledgearticle/?code=KA-05545
I suppose I can inspect the certificate chain via SSL Labs and see if they are using the Entrust root and intermediary certificates or wait to see if there is any interruption after the cutover. But it would be nice if the KB article simply clarified this?
https://jstest.authorize.net/v1/ https://jstest.authorize.net/v3/ https://js.authorize.net/v1/ https://js.authorize.net/v3/
So, it turns out we didn't really have to update anything since the new DigiCert certificate are already in the cert.pem. I will be closing this thread now. Thank you everyone.
Yes probably but also authorize.net hasn't actually changed the server certs yet. The servers are still using the old Entrust one.
¯\_(ツ)_/¯
Yes probably but also authorize.net hasn't actually changed the server certs yet. The servers are still using the old Entrust one.
¯\_(ツ)_/¯
What the heck??
Indeed.
I see they've updated the article today: https://support.authorize.net/knowledgebase/Knowledgearticle/?code=KA-05545
So now January, but they still don't appear to be scheduling a period where you can test in the sandbox for a while before the live change.
Indeed.
I see they've updated the article today: https://support.authorize.net/knowledgebase/Knowledgearticle/?code=KA-05545
So now January, but they still don't appear to be scheduling a period where you can test in the sandbox for a while before the live change.
Thank you for this! I guess we'll just have to wait for more updates. I will reopen so to let everyone know.
And just when I thought this is over...
They've updated the article on 12/09/2024 16:33 PM : https://support.authorize.net/knowledgebase/Knowledgearticle/?code=KA-05545
Certificate Migration Schedule Sandbox/Production: January 15, 2025
Still in just one day. :(
They've updated the article on 12/09/2024 16:33 PM : https://support.authorize.net/knowledgebase/Knowledgearticle/?code=KA-05545
Certificate Migration Schedule Sandbox/Production: January 15, 2025
Still in just one day. :(
Hey -- the website is showing "Certificate Migration Schedule Sandbox/Production: Feb 2025, exact date for switch over will be provided soon. It is recommended to complete adding any support for the new certificate by January 31, 2025."
Did they move it back 2 weeks?