Also, as a point of clarification: While our new domain certificates will be signed using SHA-256, the CA root certificates may use a different hash to sign themselves. The root certificates, and the chain certificates mentioned below, do not require SHA-256 signing for them to be used by your solution.
As part of ongoing improvements to Authorize.Net’s infrastructure, we will be upgrading our certificates so that they are signed using Security Hash Algorithm 2 (SHA-2). Specifically, we are upgrading our API services to use EnTrust’s SHA-256, 2048-bit certificate. These changes will go out on May 27th, starting with secure.authorize.net.
In the coming months, we will be using multiple certificates from different Certificate Authorities, and we recommend installing these certificates—which also use SHA-256 and have 2048-bit signatures—in preparation for that change.
Please contact your solution provider and web hosting company to ensure your solution has these certificates installed and is capable of using them to secure your connection to Authorize.Net. In many cases the certificates may already be installed.
We will potentially utilize certificates from three vendors: Entrust, GeoTrust, and CyberTrust. The required root certificates from each vendor are defined below along with a link to their official download URL.
We have also provided chain certificate details and thumbprints for those who require them. These chain certificates are not required for validation in most circumstances and should only be necessary if explicitly requested by your developer:
Certificate Thumbprint (SHA-1)
Verizon Akamai SureServer CA G14-SHA2
Baltimore CyberTrust Root
6AD2 B04E 2196 E48B F685 7528 90E8 11CD 2ED6 0606
Entrust Certification Authority – L1K
CCA2 7D33 C735 A7D0 6D1F ECAD 980E 498D A681 C963
Entrust Root Certification Authority – G2
8CF4 27FD 790C 3AD1 6606 8DE8 1E57 EFBB 9322 72D4
GeoTrust SSL CA - G4
GeoTrust Global CA, GeoTrust Inc
DE28 F4A4 FFE5 B92F A3C5 03D1 A349 A7F9 962A 8212
The upgrade to SHA-2 conforms to a change among server and browser manufacturers to deprecate use of SHA-1:
In September 2014 Google announced that the Chrome browser would gradually depreciate SHA-1 support, and would also reject SHA-1 signed certificates which expire after January 1, 2017. In addition, SHA-1 signed certificates which expire in 2016 would be flagged as secure but with errors.
Also in September 2014, Mozilla announced that they would also reject SHA-1 signed certificates that expire after January 1, 2017. Mozilla is the basis of a family of browsers, the most well-known being Mozilla Firefox.
While most modern operating systems and web servers support SHA-2, there is a concern that older software—especially software based on outdated versions of Java—may not adequately support SHA-2. Our sandbox environment has already been updated so you can validate that your solution will continue to work using SHA-2 signed certificates, prior to May 27th.
After the update is complete, any software that cannot validate an SHA-2 signed certificate will fail to connect to Authorize.Net servers.