Showing results for 
Search instead for 
Did you mean: 

Production Certificate Upgrades begin May 26, 2015

Authorize.Net will upgrade and replace Production certificates for API services starting May 26, 2015. Technical details are provided for solutions connecting to Authorize.Net APIs that may need updates.


To see the full announcement, please see this blog post.

Administrator Administrator
172 REPLIES 172



That was the first certificate on their list, before they made their last update on their blog, that was the first link. So that is why I went with that one first. The 2nd link was for 2 intermediate certificates, which I didn't bother with installing in they keystore, I did install them on the server though as well as the other 2 links. Matching the thumbprints is the best way to go to make sure you are getting the exact certificates that are needed. I matched all 4 when I was installing them on my server.


I don't know if installing the other certificates into the keystore would be needed in the future, as ANET states they will be using different certs moving forward. So maybe someone else has some insight into that.



this is an older link i came across previously that might work for CFMX7, for those who are still having problems

also when you open command prompt, right click on it and 'Run as administrator', otherwise it will give you keytool error, somebody mentioned that, so not sure if that was the problem.

I have to admit - even after reading through the entire stream on this post I am still at a loss as to what I can do to fix my site.  I have a website hosted at GoDaddy that has a GoDaddy SHA-2 compliant SSL certificate installed.  I don't see a way to install any additional certificates, and I have no way of bringing the hosting back in house to set up my own Apache server.  I am using the AIM method to process transactions using CURL code.  All of this was working fine up until the certificate upgrades went into place.  Is there any resource that I can reference to help me piece this back together so I can get transactions processing again?

For anyone running Linux/Apache/PHP using the curl program to connect to, we had a problem where we were receiving the error message:


Reason: SSL certificate problem: unable to get local issuer certificate


I updated the certs for Apache but that didn't fix the issue.  It turns out that curl was using it's own set of certificates, so the program wasn't picking up the updated one.  I tracked down curl's certificates to here:




I replaced the original file with the same one we were using in Apache (which had the updated certs) but kept the filename curl-ca-bundle.crt and that seems to have fixed the issue.  It's also possible to specify which certs curl uses on the command line (or I assume a config file somewhere).


Hope this helps... Certification Authority (2048)5030 0609 1D97 D4F5 AE39 F7CB E792 7D7D 652D 3431

Entrust Root Certification AuthorityB31E B1B7 40E3 6C84 02DA DC37 D44D F5D4 6749 52F9


What is the download link for these two certificates and what folder are they supposed to reside in?


We also have two customers down using our .Net based e-commerce solution. They are using Windows 2003 and IIS. We have other customers on Windows 2003 that do work ok. All the Certs seems applied. Any broad guidance you can give would be helpful.


Marty Acks


... more from above post: the message we get is: "The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel." Is this the same message others are seeing?

Windows 2003 is not compatible with SHA-256 certificates out of the box, but Microsoft has provided patches that provide this support. The Microsoft blog post on their planned deprecation of SHA-1 includes links to the relevant updates. This is likely what you need to resolve the error that you are seeing.

Just 5 minutes ago I was able to get a Wndows Server 2003 R2 system working.  It is one of our older Colldfusion application servers that is still live but will be phased out soon.   I followed Seeraig's suggestions on page 8 of this thread where he includes the video.  


I'm not sure about .NET but the difference seems to be getting the Entrust CA certificate with the thumbprint 8CF4 27FD 790C 3AD1 6606 8DE8 1E57 EFBB 9322 72D4 in the proper key store.  In my case it meant the java store and also the third party store