Update #4: Updated the required certificate list for clarity.
Update #3: Planned upgrades will be delayed one day to May 27, 2015.
Update #2: The EnTrust links have been updated below.
Update #1: Those having difficulty locating the EnTrust L1K root certificate may find it in EnTrust's knowledge base, at http://www.entrust.net/knowledge-base/technote.cfm?tn=8863.
Also, as a point of clarification: While our new domain certificates will be signed using SHA-256, the CA root certificates may use a different hash to sign themselves. The root certificates, and the chain certificates mentioned below, do not require SHA-256 signing for them to be used by your solution.
As part of ongoing improvements to Authorize.Net’s infrastructure, we will be upgrading our certificates so that they are signed using Security Hash Algorithm 2 (SHA-2). Specifically, we are upgrading our API services to use EnTrust’s SHA-256, 2048-bit certificate. These changes will go out on May 27th, starting with secure.authorize.net.
In the coming months, we will be using multiple certificates from different Certificate Authorities, and we recommend installing these certificates—which also use SHA-256 and have 2048-bit signatures—in preparation for that change.
Please contact your solution provider and web hosting company to ensure your solution has these certificates installed and is capable of using them to secure your connection to Authorize.Net. In many cases the certificates may already be installed.
We will potentially utilize certificates from three vendors: Entrust, GeoTrust, and CyberTrust. The required root certificates from each vendor are defined below along with a link to their official download URL.
Entrust
http://www.entrust.net/developer/
Certificate Name | Certificate Thumbprint (SHA-1) |
Entrust.net Secure Server Certification Authority |
99A6 9BE6 1AFE 886B 4D2B 8200 7CB8 54FC 317E 1539 |
Entrust.net Certification Authority (2048) |
5030 0609 1D97 D4F5 AE39 F7CB E792 7D7D 652D 3431 |
Entrust Root Certification Authority |
B31E B1B7 40E3 6C84 02DA DC37 D44D F5D4 6749 52F9 |
GeoTrust
https://www.geotrust.com/resources/root-certificates/
Certificate Name | Certificate Thumbprint (SHA-1) |
GeoTrust Global CA |
DE28 F4A4 FFE5 B92F A3C5 03D1 A349 A7F9 962A 8212 |
CyberTrust
https://cacert.omniroot.com/bc2025.crt
Certificate Name | Certificate Thumbprint (SHA-1) |
Baltimore CyberTrust Root |
D4DE 20D0 5E66 FC53 FE1A 5088 2C78 DB28 52CA E474 |
We have also provided chain certificate details and thumbprints for those who require them. These chain certificates are not required for validation in most circumstances and should only be necessary if explicitly requested by your developer:
Certificate Name | Issuer | Certificate Thumbprint (SHA-1) |
Verizon Akamai SureServer CA G14-SHA2 |
Baltimore CyberTrust Root |
6AD2 B04E 2196 E48B F685 7528 90E8 11CD 2ED6 0606 |
Entrust Certification Authority – L1K |
Entrust Inc |
CCA2 7D33 C735 A7D0 6D1F ECAD 980E 498D A681 C963 |
Entrust Root Certification Authority – G2 |
Entrust Inc |
8CF4 27FD 790C 3AD1 6606 8DE8 1E57 EFBB 9322 72D4 |
GeoTrust SSL CA - G4 |
GeoTrust Global CA, GeoTrust Inc |
DE28 F4A4 FFE5 B92F A3C5 03D1 A349 A7F9 962A 8212 |
The upgrade to SHA-2 conforms to a change among server and browser manufacturers to deprecate use of SHA-1:
- Microsoft announced in late 2013 that they would no longer accept SHA-1 signed certificates which expire after January 1, 2017:
- In September 2014 Google announced that the Chrome browser would gradually depreciate SHA-1 support, and would also reject SHA-1 signed certificates which expire after January 1, 2017. In addition, SHA-1 signed certificates which expire in 2016 would be flagged as secure but with errors.
- Also in September 2014, Mozilla announced that they would also reject SHA-1 signed certificates that expire after January 1, 2017. Mozilla is the basis of a family of browsers, the most well-known being Mozilla Firefox.
While most modern operating systems and web servers support SHA-2, there is a concern that older software—especially software based on outdated versions of Java—may not adequately support SHA-2. Our sandbox environment has already been updated so you can validate that your solution will continue to work using SHA-2 signed certificates, prior to May 27th.
After the update is complete, any software that cannot validate an SHA-2 signed certificate will fail to connect to Authorize.Net servers.