[WHAT IS HAPPENING / WHAT WE ARE DOING]
The SSL Certificate Authority Root Certificate used by Zuora for select endpoints is expiring on May 30 3:48:38 2020 PDT. We are conducting an emergency maintenance to ensure an updated certificate trust chain is in place before the date of expiration.
Which API endpoints does this impact?
*.zuora.com
*.apps.zuora.com
*.sandbox.eu.zuora.com
sandbox.na.zuora.com
connect.zuora.com
rest.pt1.zuora.com
Wildcard entries above can include any endpoints not covered by other certificates.
*.zuora.com includes:
services*.zuora.com (Service Environments)
restservices*.zuora.com (Rest for Service Environments)
*.apps.zuora.com includes:
The Connect applications and services, for example workflow.apps.zuora.com.
*.sandbox.eu.zuora.com includes:
Any EU Sandbox applications and services.
When will these changes take effect on the Zuora side?
These changes will occur between May 28 - May 30, 2020.
Thursday May 28, 220 - Non production API endpoints (apisandbox, services*, PT1)
Friday May 29, 2020 - Production API endpoints
Saturday May 30, 2020 - Finalize and validate, work may continue until expiry.
How will this change impact me?
Only the CA Root Certificate is changing, and it has been cross-signed. That means most clients and modern browsers will automatically be able to use the new certificate without any changes. But if you are pinning the previous Root certificate, you may be unable to connect to the endpoints listed above.
Please refer to this Sectigo knowledge base article for information on the expiration:
https://support.sectigo.com/articles/Knowledge/Sectigo-AddTrust-External-CA-Root-Expiring-May-30-2020
What actions must I take?
If you are pinning the expiring Root certificate, you must update the certificate before the scheduled maintenance to avoid any potential service disruption. Please work with your technology teams to determine what actions you must take to use the new certificate.
Customers who manage their own CA trust store for an API integration may need to update their store accordingly. In some cases, weve found select API integrations which cache SSL certificates by default, and if those integrations care about CA Certificates or Trust Store may need to be rebooted following completion of our updates to update their internal certificate cache.
You will want to ensure that you have applied any relevant security updates on your systems and ensure that the new certificate is included in any cert bundles your applications are using.
The certificates can be found at:
https://knowledgecenter.zuora.com/BB_Introducing_Z_Business/Policies/Full_Certification_Chain
*Note* Zuora does not recommend certificate pinning.
Why cant Zuora support tell me if Im impacted by this change?
We do not have access or knowledge of our customers systems, it is important that the customer assess whether their systems are impacted by this change.
Customer integration and truststore policy along with API integration common practice is the exclusive responsibility of the customer and their security & technology teams to maintain.
You are encouraged to register to the Zuora Community in order to receive the latest update on this topic.
Thank you for your support as it allows us to maintain the highest security standards at Zuora ensuring the safety of your data.
Best Regards,
Zuora Support Services & Community
#Announcement