Authorize.Net will upgrade and replace Production certificates for API services starting May 26, 2015. Technical details are provided for solutions connecting to Authorize.Net APIs that may need updates.
To see the full announcement, please see this blog post.
04-24-2015 01:05 PM
Thank you so much for this post seeraig, I went from "Dead In The Water" to "Up And Running" with one command line string. Crazy! I am on CF9/Server 2008 R2. My MMC is packed with certificates now thanks to authorize.net! They just kept telling me to install this and that certificate.
authorize.net should be a bit embarrassed by this...
Thanks again! Much appreciated!
05-29-2015 07:13 AM
I took Seeraig's word for it and just adding that one certificate to the Java keystore worked when I tested it.
Note: I tried a CFMX7 install and that same code to install the key and failed. So you'll need another set of commands to add the keystore to a CF7 box.
05-29-2015 07:26 AM
Actually, we are having problems installing the CERT on our CFMX7 server.
We get this error: keytool error: java.security.NoSuchAlgorithmException: 1.2.840.113549.1.1.11 Signature not available
Is your CFMX7 installed on a Windows machine?
05-29-2015 07:56 AM
Someone in this thread earlier mentioned this video https://www.youtube.com/watch?v=ewT4aud-xww - and as a last resort (because I tried everything Authorize.net was telling me) I tried what was in the video.. and it worked!!!
I just had to change the location where my folders were located vs what was in the video.
and the certificate that i installed was the entrust_g2_ca.cer
Also - when I restarted CF - it wouldnt restart.. so I had to restart the entire server.
I just tested my form and it is once again working.
I am running CF8 with a ssl cert on the site from Thawte. (of course Authorize.net is really only saying their solution works with 3 ssl vendors).
Thank you to the developer that posted that video - I wish I could find your name.. but so many pages of issues in this thread I will send you a virtual 6-pack! :-)
05-29-2015 08:32 AM
Thank you seeraig for the solution!!!
05-29-2015 08:43 AM
Has anyone dealt with this "upgrade" for a DotNetNuke site hosted in a shared environment? I'm not having any luck figuring this out and cannot process new orders. Any help or a point in the right direction would be greatly appreciated.
05-29-2015 09:09 AM
@fs8972 We never did get it working in CFMX7/Linux. Speculation: the JRE we're using (1.4.x IIRC) is simply too old to deal with the SHA256-signed Entrust G2 cert. Upgrading the JRE is a royal PITA—we're not exactly a Java shop—and successfully using a later JRE's keytool to import into the older JRE's keystore worked... but didn't fix anything.
We're currently in the process of migrating everything to cfexecute+cURL. (We had to update OpenSSL and cURL on these servers as well. Stupid legacy servers. At least that part went very easy.) We had hopes of seeing a viable solution using cfhttp but the lack of useful vendor-supplied information (esp. re: CFMX7) in this thread is pretty damning.
Vaya con dios.
05-29-2015 09:20 AM
Does anyone know if there is a version of "CFX_HTTP5" for ColdFusion applications that are on non-Windows servers (Linux). This seems like the way to go, but I would need it for my server type.
In general, on CFMX7, CFHTTP calls fail ("Connection Failure") when the URL is "HTTPS". So any CFHTTP calls will fail if the URL is secure.
For CFMX7, the version of JRE is 1.4. I am unable to install the proper certificate with that version.
Thanks.
05-29-2015 09:39 AM
Windows Server 2012 R2 Standard
Our client dropped the ball and didn't tell us about this until the day after it was implemented. Their payments have been broken for 48 hours and this is now critical:
Searching by SHA hash in the cert store on the server, I found 2/5 of the required certs already installed -- the Entrust certs still needed to be installed:
Entrust:
Entrust.net Secure Server Certification Authority 99A6 9BE6 1AFE 886B 4D2B 8200 7CB8 54FC 317E 1539
Not installed
Entrust.net Certification Authority (2048) 5030 0609 1D97 D4F5 AE39 F7CB E792 7D7D 652D 3431
Not installed
Entrust Root Certification Authority B31E B1B7 40E3 6C84 02DA DC37 D44D F5D4 6749 52F9
Not installed
CyberTrust:
Baltimore CyberTrust Root D4DE 20D0 5E66 FC53 FE1A 5088 2C78 DB28 52CA E474
Installed present in both Trusted Root Certification Authorities and Third-Party Root Certification Authorities
Both expire 2025
GeoTrust:
GeoTrust Global CA DE28 F4A4 FFE5 B92F A3C5 03D1 A349 A7F9 962A 8212
Installed present in both Trusted Root Certification Authorities and Third-Party Root Certification Authorities
Both expire 2022
_______
I DLed and installed all 3 Entrust certs and have tried installing them into both the Intermediate Cert Auth store as well as the Third Party Root Cert Store via the cert util in MMC. Payments still broken per the client and the certs are not showing up in the cert chain via SSLChecker.com or the DigiCert chain check util.
I then moved to focus on the suggested chain certs which may be needed "if explicitly requested by your developer."
Verizon Akamai SureServer CA G14-SHA2 Baltimore CyberTrust Root 6AD2 B04E 2196 E48B F685 7528 90E8 11CD 2ED6 0606
Entrust Certification Authority – L1K Entrust Inc CCA2 7D33 C735 A7D0 6D1F ECAD 980E 498D A681 C963
Entrust Root Certification Authority – G2 Entrust Inc 8CF4 27FD 790C 3AD1 6606 8DE8 1E57 EFBB 9322 72D4
GeoTrust SSL CA - G4 GeoTrust Global CA, GeoTrust Inc DE28 F4A4 FFE5 B92F A3C5 03D1 A349 A7F9 962A 8212
The final chain cert, GeoTrust SSL CA is already installed in Third Party Root Cert store in MMC and is therefore also present in Trusted Root Cert store.
I've located the other 3 certs just googling them (Verizon, Entrust L1K, and Entrust Root G2) and installed them into the Third Party Root store. They still did not show up in the cert chains. I removed them from that store and installed them in the Intermediate Cert Auth store. Still not showing up in the chain via Digicert or SSLChecker.com.
Ran IISRESET.
Still not showing up in the chains via Digicert or SSLChecker.com.
What in the world needs to be done to get these certs configured correctly? This is awful and urgent.
Thank you.
05-29-2015 10:50 AM
Also on MX7, same fail.
Authorize.net essentially doused my business in gasoline and tossed a match, but in their defense, they apparently sent a single email about the pending destruction some time back in April.
05-29-2015 12:41 PM