MSM Controllers - Expired Entrust certificate
Entrust.net CA certificate - How to replace -
- Affects all versions of MSM software.
- Affects only MSM controllers.
- Affects only the Authroize.net service on MSM controllers.
- Does not affect users or operation of MSM controllers and only causes a warning message.
Even if you have already upgraded to 22.214.171.124 software, you can experience the expiry of the Entrust.net CA certificate (expiring = May 25th 2019). This certificate is used to validate servers employing the Entrust.net SSL certificates for the purpose of the Authorize.Net services on the MSM and would need to be replaced to a) avoid the expiration warning, b) to use Authorize.net.
The warning message (below) does not impact users or operation of the MSM's normal operation. However, if you use the Authorize.net service, then you need to address this warning.
Entrust Discontinuing Public Trust for its 1024-bit RSA Root
As of January 1, 2014, Entrust discontinued use of the root “CN = Entrust.net Secure Server Certification Authority” for issuance of public trust SSL/TLS certificates. Entrust supported the removal of the root from many browser’s and operating system’s root embedding programs.
Since being discontinued for public trust, the root has only been used to extend private trust for one carrier to extend trust in a legacy environment. All other end entity certificates have either expired or have been revoked.
Entrust will continue to maintain this root and use it only to issue private trust SSL/TLS certificates until its expiry. The root will be operated and audited to meet the WebTrust Principles and Criteria for Certification Authorities. The root will continue to support CRL and OCSP responses until all issued certificates have expired. Browsers and application developers are encouraged to continue removing this root as it is used solely for private trust.
It is now replaced by the "Entrust Root Certification Authority - G2" certificate, which also uses stronger encryption, (SHA256 and 2048bits).
Replacing the expired Entrust.net certificate with a new Enrtust.net CA certificate
There are 2 ways to go about this;
A) Attached is a replacement "Entrust Root Certification Authority - G2" which expires in 2029.
You may extract this certificate from the attached .zip file and install it on the MSM controller, as per the instructions below.
B) You can also create the certificate from the text block shown below, and follow the install instructions below;
- Copy and paste the text below to a text editor file and name it "Entrust Root Certification Authority - G2.pem".
- Install the new "Entrust Root Certification Authority - G2" under Security-->Certificate Stores. It should look like this, once installed;
3. Go to Security-->Certificate Usage and select the Authorize.net service.
Add the new "Entrust Root Certification Authority - G2" certificate, and delete the old entrust.net certificate.
4. Now, return to Security-->Certificate Stores, and delete the old entrust.net certificate (now marked <not used>). This will stop the certificate warnings.
5. Under Security-->Certificate Stores, you should now see that the new "Entrust Root Certification Authority - G2" is installed and assigned to the Authroize.net service and shows a Green light indication.
Entrust Root Certification Authority - G2.zip