We are updating the SSL certificate used for the following endpoints:
- eu.zuora.com - All EU Production Endpoints (soap.eu.zuora.com,dataloader.eu.zuora.com,zconnect.eu.zuora.com,static.eu.zuora.com,rest.eu.zuora.com,aqua.eu.zuora.com)
- *.zuora.com - US Production Rest and API, Sandbox, and PT1 (<anything>*zuora.com)
- rest.pt1.zuora.com - US Production PT1 Rest Endpoint
We are updating the SSL certificate used for the endpoints listed above from Symantec to Comodo, Digicert, or AWS issued certificates.
NOTE: no change required for sandbox.eu.zuora.com as it already has Comodo certificate
Action will be required on your part prior to October 10th, 2018 if your integration certificate store does not trust the appropriate new root and intermediate certificate chain (mentioned below). Please work with your technology teams to determine what actions you must take to ensure you do not experience any disruption in Zuora services.
When will these changes take effect on the Zuora side?
- The change will occur on the schedule outlined below.
- These changes will occur on October 10th, starting at 1AM PT and continuing until 11:00AM PT.
How will this change impact me?
Your integration will stop functioning if your systems do not trust the correct root and intermediate certificate.
* Important Note: Some applications require a restart even if the trusted root store is in place in order to use the new certificate for SSL connections.
What action must I take?
If the Root and Intermediate Certificates are not trusted by your applications or libraries, you must complete the following actions before the scheduled maintenance to avoid any potential service disruption. Please work with your technology teams to determine what actions you must take to trust this CA.
Download and install the Appropriate Root Certificate Bundle
If your integration does not trust the Comodo Root Certificates, then the certificate must be imported into your applications trusted CA store.
Follow these steps to download the Comodo Root Certificates:
- The CA Certificates can be downloaded from the links below:
https://knowledgecenter.zuora.com/BB_Introducing_Z_Business/Policies/Full_Certification_Chain
.eu.zuora.com - requires "eu-zuora-com-root.cer" and "eu-zuora-com-intermediate.cer"
*.zuora.com (apisandbox.zuora.com, rest.zuora.com, and api.zuora.com) - requires "zuora-com-root.cer" and "zuora-com-intermediate.cer"
rest.pt.zuora.com - requires "rest-pt1-zuora-com-fullrootchain.ca-bundle"
- Import these certificates into your trusted CA store based on your system parameters.
- Restart services if applicable.
We have provided basic instructions to load the the root and intermediate certificates for Java and .NET. For other applications, please follow up with your technology teams to determine what actions must be taken.
For Java:
Run the following command from your application server(s) that make connections to Zuora systems to import root and intermediate certificates into your keystore. Note, text in blue must be replaced based on your system specifics.
- Root Certificate: keytool -import -trustcacerts -alias Zuora-AddTrustExternalCARoot.crt -file AddTrustExternalCARoot.crt -keystore <Name and path to you java keystore file, typically named keystore.jks>
- Intermediate Certificate 1: keytool -import -trustcacerts -alias Zuora-COMODORSAExtendedValidationSecureServerCA.crt -file COMODORSAExtendedValidationSecureServerCA.crt -keystore <Name and path to you java keystore file, typically named keystore.jks>
- Intermediate Certificate 2: keytool -import -trustcacerts -alias Zuora-COMODORSACa.crt -file COMODORSACa.crt -keystore <Name and path to you java keystore file, typically named keystore.jks>
For .NET on Windows 2008/2012 R2 & Windows 2016:
Click here for instructions on adding certificates to Trusted Certification Authorities store for local computer
What happens if I take no action?
If the Root Certificate is not trusted by your integration, and you take no action, your systems will not be able to connect to the Zuora Production endpoint after this change is implemented. Please discuss this change with your technology teams to ensure you take the appropriate actions.
You are encouraged to register to the Zuora Community in order to receive the latest update on this topic.
Thank you for your support as it allows us to maintain the highest security standards at Zuora ensuring the safety of your data.
Best Regards,
Zuora Support Services & Community
#Announcement