Authorize.Net will upgrade and replace Production certificates for API services starting May 26, 2015. Technical details are provided for solutions connecting to Authorize.Net APIs that may need updates.
To see the full announcement, please see this blog post.
04-24-2015 01:05 PM
It looks like we may have deeper network issues that just happened to be coincidentally timed with the certificate changes. I can't reach https://secure.authorize.net from that box, so our network folks are looking into it.
I did verify that our crypt32.dll version is up to date, all hotfixes in place. The five certs are in place as are the hotfixes mentioned. Waiting to hear back on the network side.
06-05-2015 06:32 AM
I did it on a Coldfusion 6.1MX box. Should work on all Java 1.4 and 1.6 based Coldfusion versions. The problem with Java 1.4 is the keytool program, which is why my zip has a newer one from Java 1.6.
06-05-2015 07:05 AM
After having installed all of the certificates mentioned, I was still having problems.
I am using .NET 4.0 and ASP.NET on an IIS platform. I put in some tracking code in our logging for the error that we were getting regarding the certificate upgrade.
The error was:
System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
The new certificates coming from Authorize.Net now have errors.
Apparently the .NET framework is real finicky about certificate errors.
I resolved this with the following solution:
http://www.codeproject.com/Tips/321313/Bypass-and-Restore-SSL-Certificate-Validation-in-V
This code basically turns off certificate checking when we post to the live url and tells us to trust all certificates from the site.
Not the best solution by any means, but it works!
06-05-2015 08:56 AM
@kabutotx Thanks for posting that zip. Your lead on using a newer version of keytool.exe has been helpful, but I haven't been able to get it to run on our CF6.1 (Java 1.4) server. I used the one from your zip and get the following error message:
Rgistry key 'Software\JavaSoft\Java Runtime Environment\CurrentVersion' has value '1.4', but '1.6' is required.
Error: could not find java.dll
Error: could not find Java SE Runtime Environment.
How did you get around that?
06-08-2015 10:35 AM
Oops! I also had 1.6 jdk installed so I guess that registry key was set. You can download the 1.6 jre or jdk from java.com or try changing that registery key temporarily and see if that works. You can also install 1.8 and use it's keytool. That is what I did the first time I got it working.
06-08-2015 12:19 PM
A few basic questions here, as we're a small organization without a web developer....
1. If our SSL certificate is only SHA-1 compliant, do we need to purchase a new SSL certificate, or only add the files you recommend to our current SSL certificate?
2. In following the links on your blog, GeoTrust offers the recommended file in either a .pem format, or .cer. Which does authorize.net require, or do we need both?
3. Entrust asks the question "Which certificate group do you want?" We're given the choice of:
--Root certificates
--EV Chain certificates (SHA-2)
--Non-EV Chain certificates (SHA-2)
Which group do we select?
4. Entrust offers .cer and .der files. Which do we need?
Thanks!
06-08-2015 01:19 PM
1. This has nothing to do with your SSL certificate just Authorize.net. Some older environments Java 1.4/1.6 and Windows 2003 might not have update Root certificate files. FYI, if you want to upgrade your certificate to SHA-2, most SSL providers offer a free regen but this totally not needed to talk to Authorize.
2. People ususally use .cer files to import into whatever certificate store you use.
3. Use the fingerprints to get the right certificate(s).
4. Usually .cer
06-08-2015 02:00 PM
Thanks for the additional pointers. I tried all your ideas. Even after installing Java 1.6 and 1.8 and trying their respective keytools, I still get errors.I'm using the respective jli.dll files too.
I'm amazed you were able to get them to play so easily. The most common error I'm not getting is "Failed to load Main Class: sun.security.tools.KeyTool".
At this point we're stuck as to how to get this old CF6 server to install the G2 certificate. If you or anyone else has any ideas, please let me know!
06-08-2015 02:41 PM
I played around and you do have to have a jre greater than 1.4 installed. You can see the "CurrentVersion" registery key by running regedit and going to HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Runtime Environment. You should also have a 1.6, 1.7, or 1.8 key under it or whatever version you installed. Just change the CurrentVersion key to 1.6, 1.7, or 1.8 depending on what you installed. You then use the new keytool from it. So change to your CF 1.4 runtime security directory with the cacerts your want to update and run keytool with the path prepended from your new java (ex. \Program Files\Java\jre6\bin\keytool -import .. etc.)
06-08-2015 03:08 PM
The last thing you mentioned made all the difference. All along I've been copying the keytool into the folder of the old JRE. Once you pointed it out I tried running it from its original folder and it worked! G2 cert installed as hoped and connection to authorize.net looks to be back up. Thanks a ton for your help!
06-08-2015 03:53 PM