With various platforms no longer accepting web server certificates that chain to the VeriSign PCA3 G5 root certificate, Symantec will be replacing the SSL certificate on all VIP Authentication service end-points and VIP Web Services API end-points. These new SSL certificates will chain to the DigiCert Global Root CA. This DigiCert root certificate is broadly embedded into the default trust root CA store of all popular web browsers, operating systems, and native programming platforms.
As a result, organizations utilizing VIP Services API end-points must verify the application server(s) trusts the DigiCert Global Root CA certificate.
Symantec is providing email reminders 90, 60 and 30 days prior to the migration. This article is linked from those emails and contains the latest information. Changes to your environment should be implemented as soon as possible.
Are my VIP components are affected?
► Pinned VIP Services applications: Certificate pinning is the process of associating a host with the expected certificate. Organizations using certificate pinning to the VeriSign PCA3 G5-chained certificates within their application should update the pinning hierarchy to trust the DigiCert Global Root CA.
► VIP Web Services: All application server(s) that connect to VIP Web Services API endpoints must trust the DigiCert Global Root CA certificate.
► VIP AD FS Integrations: AD FS servers configured to use the VIP integration module for MFA must upgrade to VIP plugin version 9.9 or later. Click here for additional instructions.