Showing results for 
Search instead for 
Did you mean: 

Production Certificate Upgrades begin May 26, 2015

Authorize.Net will upgrade and replace Production certificates for API services starting May 26, 2015. Technical details are provided for solutions connecting to Authorize.Net APIs that may need updates.


To see the full announcement, please see this blog post.

Administrator Administrator
172 REPLIES 172

Thank you so much for this post seeraig, I went from "Dead In The Water" to "Up And Running" with one command line string. Crazy! I am on CF9/Server 2008 R2. My MMC is packed with certificates now thanks to! They just kept telling me to install this and that certificate. should be a bit embarrassed by this...


Thanks again! Much appreciated!



I took Seeraig's word for it and just adding that one certificate to the Java keystore worked when I tested it.


Note: I tried a CFMX7 install and that same code to install the key and failed. So you'll need another set of commands to add the keystore to a CF7 box.

Actually, we are having problems installing the CERT on our CFMX7 server.


We get this error:  keytool error: 1.2.840.113549.1.1.11 Signature not available


Is your CFMX7 installed on a Windows machine?

Someone in this thread earlier mentioned this video - and as a last resort (because I tried everything was telling me) I tried what was in the video.. and it worked!!!

I just had to change the location where my folders were located vs what was in the video.
and the certificate that i installed was the entrust_g2_ca.cer

Also - when I restarted CF - it wouldnt restart.. so I had to restart the entire server.

I just tested my form and it is once again working.


I am running CF8 with a ssl cert on the site from Thawte. (of course is really only saying their solution works with 3 ssl vendors).

Thank you to the developer that posted that video - I wish I could find your name.. but so many pages of issues in this thread I will send you a virtual 6-pack! :-)


Thank you seeraig for the solution!!!

Has anyone dealt with this "upgrade" for a DotNetNuke site hosted in a shared environment?  I'm not having any luck figuring this out and cannot process new orders.  Any help or a point in the right direction would be greatly appreciated.

@fs8972 We never did get it working in CFMX7/Linux. Speculation: the JRE we're using (1.4.x IIRC) is simply too old to deal with the SHA256-signed Entrust G2 cert. Upgrading the JRE is a royal PITA—we're not exactly a Java shop—and successfully using a later JRE's keytool to import into the older JRE's keystore worked... but didn't fix anything.


We're currently in the process of migrating everything to cfexecute+cURL. (We had to update OpenSSL and cURL on these servers as well. Stupid legacy servers. At least that part went very easy.) We had hopes of seeing a viable solution using cfhttp but the lack of useful vendor-supplied information (esp. re: CFMX7) in this thread is pretty damning.


Vaya con dios.

Does anyone know if there is a version of "CFX_HTTP5" for ColdFusion applications that are on non-Windows servers (Linux). This seems like the way to go, but I would need it for my server type.


In general, on CFMX7, CFHTTP calls fail ("Connection Failure") when the URL is "HTTPS". So any CFHTTP calls will fail if the URL is secure.


For CFMX7, the version of JRE is 1.4. I am unable to install the proper certificate with that version.




Windows Server 2012 R2 Standard


Our client dropped the ball and didn't tell us about this until the day after it was implemented. Their payments have been broken for 48 hours and this is now critical:


Searching by SHA hash in the cert store on the server, I found 2/5 of the required certs already installed -- the Entrust certs still needed to be installed:

Entrust: Secure Server Certification Authority 99A6 9BE6 1AFE 886B 4D2B 8200 7CB8 54FC 317E 1539
Not installed Certification Authority (2048) 5030 0609 1D97 D4F5 AE39 F7CB E792 7D7D 652D 3431
Not installed
Entrust Root Certification Authority B31E B1B7 40E3 6C84 02DA DC37 D44D F5D4 6749 52F9
Not installed

Baltimore CyberTrust Root D4DE 20D0 5E66 FC53 FE1A 5088 2C78 DB28 52CA E474
Installed present in both Trusted Root Certification Authorities and Third-Party Root Certification Authorities
Both expire 2025

GeoTrust Global CA DE28 F4A4 FFE5 B92F A3C5 03D1 A349 A7F9 962A 8212
Installed present in both Trusted Root Certification Authorities and Third-Party Root Certification Authorities
Both expire 2022


I DLed and installed all 3 Entrust certs and have tried installing them into both the Intermediate Cert Auth store as well as the Third Party Root Cert Store via the cert util in MMC. Payments still broken per the client and the certs are not showing up in the cert chain via or the DigiCert chain check util. 


I then moved to focus on the suggested chain certs which may be needed "if explicitly requested by your developer."

Verizon Akamai SureServer CA G14-SHA2 Baltimore CyberTrust Root 6AD2 B04E 2196 E48B F685 7528 90E8 11CD 2ED6 0606
Entrust Certification Authority – L1K Entrust Inc CCA2 7D33 C735 A7D0 6D1F ECAD 980E 498D A681 C963
Entrust Root Certification Authority – G2 Entrust Inc 8CF4 27FD 790C 3AD1 6606 8DE8 1E57 EFBB 9322 72D4
GeoTrust SSL CA - G4 GeoTrust Global CA, GeoTrust Inc DE28 F4A4 FFE5 B92F A3C5 03D1 A349 A7F9 962A 8212

The final chain cert, GeoTrust SSL CA is already installed in Third Party Root Cert store in MMC and is therefore also present in Trusted Root Cert store.

I've located the other 3 certs just googling them (Verizon, Entrust L1K, and Entrust Root G2) and installed them into the Third Party Root store. They still did not show up in the cert chains. I removed them from that store and installed them in the Intermediate Cert Auth store. Still not showing up in the chain via Digicert or


Still not showing up in the chains via Digicert or



What in the world needs to be done to get these certs configured correctly? This is awful and urgent. 


Thank you.


Also on MX7, same fail. essentially doused my business in gasoline and tossed a match, but in their defense, they apparently sent a single email about the pending destruction some time back in April.