Required upgrade for Symantec VIP Services and VIP Integration for Microsoft AD FS customers

search cancel

Required upgrade for Symantec VIP Services and VIP Integration for Microsoft AD FS customers

book

Article ID: 150947

calendar_today

Updated On:

Products

VIP Service

Issue/Introduction

Required upgrade for Symantec VIP Services and VIP Integration for Microsoft AD FS customers

Resolution

What happened?

With various platforms no longer accepting web server certificates that chain to the VeriSign PCA3 G5 root certificate, Symantec will be replacing the SSL certificate on all VIP Authentication service end-points and VIP Web Services API end-points. These new SSL certificates will chain to the DigiCert Global Root CA. This DigiCert root certificate is broadly embedded into the default trust root CA store of all popular web browsers, operating systems, and native programming platforms.

As a result, organizations utilizing VIP Services API end-points must verify the application server(s) trusts the DigiCert Global Root CA certificate.

Completed:

NEW DATE: The targeted date for this change has moved from December 2019 to January 14, 2020, at 2:00 PM PST. :

Symantec is providing email reminders 90, 60 and 30 days prior to the migration. This article is linked from those emails and contains the latest information. Changes to your environment should be implemented as soon as possible.

Are my VIP components are affected?

► Pinned VIP Services applications: Certificate pinning is the process of associating a host with the expected certificate. Organizations using certificate pinning to the VeriSign PCA3 G5-chained certificates within their application should update the pinning hierarchy to trust the DigiCert Global Root CA.

► VIP Web Services: All application server(s) that connect to VIP Web Services API endpoints must trust the DigiCert Global Root CA certificate.

► VIP AD FS Integrations: AD FS servers configured to use the VIP integration module for MFA must upgrade to VIP plugin version 9.9 or later.

► VIP Enterprise Gateway: No further action is required. Both root CAs are part of the Enterprise Gateway trust store. VIP certificates from VIP Manager are not affected.

► VIP Integrations: Only the VIP Integration for AD FS servers is affected.

► VIP Manager: The VIP Manager portal and VIP certificates through VIP Manager are not affected. Reissuing VIP certificates is not necessary.

What URLs were affected?

VIP Provisioning Service:
https://services.vip.symantec.com

VIP Authentication Service:
https://goidservices-auth.vip.symantec.com
https://services-auth.vip.symantec.com

VIP User Authentication Service:
https://userservices-auth.vip.symantec.com
https://messaging.vip.symantec.com

For your reference:

Existing PCA3 G5 root certificate currently used by VIP Services:

Common Name: VeriSign Class 3 Public Primary Certification Authority - G5
Full Subject name: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5
Certificate Serial Number: 18 da d1 9e 26 7d e8 bb 4a 21 58 cd cc 6b 3b 4a

Updated DigiCert Global Root CA certificate to be used by VIP Services:

Common Name: DigiCert Global Root CA
Full Subject name: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
Certificate Serial Number: 08 3b e0 56 90 42 46 b1 a1 75 6a c9 59 91 c7 4a
Certificate (download here):

─►Intermediate DigiCert SHA2 Secure Server CA

Issued from: Common Name: DigiCert SHA2 Secure Server CA
Full Subject name: C = US, O = DigiCert Inc, CN = DigiCert Global Root CA
Certificate Serial Number: ‎01 fd a3 eb 6e ca 75 c8 88 43 8b 72 4b cf bc 91
This intermediate certificate is sent from the server with the SSL certificate.
Certificate:

Feedback

thumb_up Yes

thumb_down No