MSM Controllers - Expired Entrust certificate

MVP Expert
MVP Expert
Requirement:

Entrust.net CA certificate - How to replace -

  • Affects all versions of MSM software.
  • Affects only MSM controllers.
  • Affects only the Authroize.net service on MSM controllers.
  • Does not affect users or operation of MSM controllers and only causes a warning message.

Even if you have already upgraded to 6.6.9.0 software, you can experience the expiry of the Entrust.net CA certificate (expiring = May 25th 2019).   This certificate is used to validate servers employing the Entrust.net SSL certificates for the purpose of the Authorize.Net services on the MSM and would need to be replaced to a) avoid the expiration warning, b) to use Authorize.net.  

The warning message (below) does not impact users or operation of the MSM's normal operation.  However, if you use the Authorize.net service, then you need to address this warning.

 

Entrust Discontinuing Public Trust for its 1024-bit RSA Root

As of January 1, 2014, Entrust discontinued use of the root “CN = Entrust.net Secure Server Certification Authority” for issuance of public trust SSL/TLS certificates. Entrust supported the removal of the root from many browser’s and operating system’s root embedding programs.

Since being discontinued for public trust, the root has only been used to extend private trust for one carrier to extend trust in a legacy environment. All other end entity certificates have either expired or have been revoked.

Entrust will continue to maintain this root and use it only to issue private trust SSL/TLS certificates until its expiry. The root will be operated and audited to meet the WebTrust Principles and Criteria for Certification Authorities. The root will continue to support CRL and OCSP responses until all issued certificates have expired.  Browsers and application developers are encouraged to continue removing this root as it is used solely for private trust.

It is now replaced by the "Entrust Root Certification Authority - G2" certificate, which also uses stronger encryption, (SHA256 and 2048bits).

 

 



Solution:

Replacing the expired Entrust.net certificate with a new Enrtust.net CA certificate

There are 2 ways to go about this;

 

A) Attached is a replacement "Entrust Root Certification Authority - G2" which expires in 2029.

     You may extract this certificate from the attached .zip file and install it on the MSM controller, as per the instructions below.

 

B) You can also create the certificate from the text block shown below, and follow the install instructions below;

 



Configuration:
  1. Copy and paste the text below to a text editor file and name it "Entrust Root Certification Authority - G2.pem".

 

-----BEGIN CERTIFICATE-----
MIIEPjCCAyagAwIBAgIESlOMKDANBgkqhkiG9w0BAQsFADCBvjELMAkGA1UEBhMC
VVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xKDAmBgNVBAsTH1NlZSB3d3cuZW50
cnVzdC5uZXQvbGVnYWwtdGVybXMxOTA3BgNVBAsTMChjKSAyMDA5IEVudHJ1c3Qs
IEluYy4gLSBmb3IgYXV0aG9yaXplZCB1c2Ugb25seTEyMDAGA1UEAxMpRW50cnVz
dCBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzIwHhcNMDkwNzA3MTcy
NTU0WhcNMzAxMjA3MTc1NTU0WjCBvjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUVu
dHJ1c3QsIEluYy4xKDAmBgNVBAsTH1NlZSB3d3cuZW50cnVzdC5uZXQvbGVnYWwt
dGVybXMxOTA3BgNVBAsTMChjKSAyMDA5IEVudHJ1c3QsIEluYy4gLSBmb3IgYXV0
aG9yaXplZCB1c2Ugb25seTEyMDAGA1UEAxMpRW50cnVzdCBSb290IENlcnRpZmlj
YXRpb24gQXV0aG9yaXR5IC0gRzIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC6hLZy254Ma+KZ6TABp3bqMriVQRrJ2mFOWHLP/vaCeb9zYQYKpSfYs1/T
RU4cctZOMvJyig/3gxnQaoCAAEUesMfnmr8SVycco2gvCoe9amsOXmXzHHfV1IWN
cCG0szLni6LVhjkCsbjSR87kyUnEO6fe+1R9V77w6G7CebI6C1XiUJgWMhNcL3hW
wcKUs/Ja5CeanyTXxuzQmyWC48zCxEXFjJd6BmsqEZ+pCm5IO2/b1BEZQvePB7/1
U1+cPvQXLOZprE4yTGJ36rfo5bs0vBmLrpxR57d+tVOxMyLlbc9wPBr64ptntoP0
jaWvYkxN4FisZDQSA/i2jZRjJKRxAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAP
BgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRqciZ60B7vfec7aVHUbI2fkBJmqzAN
BgkqhkiG9w0BAQsFAAOCAQEAeZ8dlsa2eT8ijYfThwMEYGprmi5ZiXMRrEPR9RP/
jTkrwPK9T3CMqS/qF8QLVJ7UG5aYMzyorWKiAHarWWluBh1+xLlEjZivEtRh2woZ
Rkfz6/djwUAFQKXSt/S1mja/qYh2iARVBCuch38aNzx+LaUa2NSJXsq9rD1s2G2v
1fN2D807iDginWyTmsQ9v4IbZT+mD12q/OWyFcq1rca8PdCE6OoGcrBNOTJ4vz4R
nAuknZoh8/CbCzB428Hch0P+vGOaysXCHMnHjf87ElgI5rY97HosTvuDls4MPGmH
VHOkc8KT/1EQrBVUAdj8BbGJoX90g5pJ19xOe4pIb4tF9g==
-----END CERTIFICATE-----

 

  1.  Install the new "Entrust Root Certification Authority - G2" under Security-->Certificate Stores.  It should look like this, once installed;

 

3. Go to Security-->Certificate Usage and select the Authorize.net service.

              Add the new "Entrust Root Certification Authority - G2" certificate, and delete the old entrust.net certificate.

 

4.  Now, return to Security-->Certificate Stores, and delete the old entrust.net certificate (now marked <not used>).  This will stop the certificate warnings.



Verification

5. Under Security-->Certificate Stores, you should now see that the new "Entrust Root Certification Authority - G2" is installed and assigned to the Authroize.net service and shows a Green light indication.


Attachments:
Entrust Root Certification Authority - G2.zip
Version history
Revision #:
2 of 2
Last update:
‎05-12-2019 10:35 AM
Updated by:
 
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: