Happy Business Starts Here

[ACTION REQUIRED]: Emergency Maintenance to Update SSL Certificate for Select Zuora Endpoints

Zuora Staff

[WHAT IS HAPPENING / WHAT WE ARE DOING]

 

The SSL Certificate Authority Root Certificate used by Zuora for select endpoints is expiring on May 30 3:48:38 2020 PDT. We are conducting an emergency maintenance to ensure an updated certificate trust chain is in place before the date of expiration.

 

Which API endpoints does this impact?

 

*.zuora.com

*.apps.zuora.com

*.sandbox.eu.zuora.com

sandbox.na.zuora.com

connect.zuora.com

rest.pt1.zuora.com

 

Wildcard entries above can include any endpoints not covered by other certificates.

 

*.zuora.com includes:

services*.zuora.com (Service Environments)

restservices*.zuora.com (Rest for Service Environments)

 

*.apps.zuora.com includes:

The Connect applications and services, for example workflow.apps.zuora.com.

 

*.sandbox.eu.zuora.com includes:

Any EU Sandbox applications and services.

 

 

 When will these changes take effect on the Zuora side?

 

These changes will occur between May 28 - May 30, 2020.
Thursday May 28, 220 - Non production API endpoints (apisandbox, services*, PT1)

Friday May 29, 2020 - Production API endpoints
Saturday May 30, 2020 - Finalize and validate, work may continue until expiry.

 

How will this change impact me?

 

Only the CA Root Certificate is changing, and it has been cross-signed. That means most clients and modern browsers will automatically be able to use the new certificate without any changes. But if you are pinning the previous Root certificate, you may be unable to connect to the endpoints listed above.

 

Please refer to this Sectigo knowledge base article for information on the expiration:

 https://support.sectigo.com/articles/Knowledge/Sectigo-AddTrust-External-CA-Root-Expiring-May-30-202...

 

 

What actions must I take?

 

If you are pinning the expiring Root certificate, you must update the certificate before the scheduled maintenance to avoid any potential service disruption. Please work with your technology teams to determine what actions you must take to use the new certificate.


Customers who manage their own CA trust store for an API integration may need to update their store accordingly.  In some cases, we’ve found select API integrations which cache SSL certificates by default, and if those integrations care about CA Certificates or Trust Store may need to be rebooted following completion of our updates to update their internal certificate cache.

 

You will want to ensure that you have applied any relevant security updates on your systems and ensure that the new certificate is included in any cert bundles your applications are using. 

 

The certificates can be found at: 

https://knowledgecenter.zuora.com/BB_Introducing_Z_Business/Policies/Full_Certification_Chain

 

*Note* Zuora does not recommend certificate pinning.

 

 

Why can’t Zuora support tell me if I’m impacted by this change?

 

We do not have access or knowledge of our customer’s systems, it is important that the customer assess whether their systems are impacted by this change.

 

Customer integration and truststore policy along with API integration common practice is the exclusive responsibility of the customer and their security & technology teams to maintain.

 

You are encouraged to register to the Zuora Community in order to receive the latest update on this topic.

 

Thank you for your support as it allows us to maintain the highest security standards at Zuora ensuring the safety of your data.

 

Best Regards,

Zuora Support Services & Community

3 Comments
Zuora Staff


For the maintenance above, we will update this thread periodically as we have completed updates to specific environment areas over the next few days.

As mentioned, this should normally only impact integrations who leverage their own Trust Store, actively pin SSL certs or use an integration which caches SSL certificates only at startup.

You may be able to test for impact if you have the ability to set the date for your integration platform or server to a date past the CA expiry (e.g. 6/1/2020) and then test a connection. A successful test may imply your integration may not require current or updated CA Certificates.

Zuora Staff

The following endpoints have been updated:

services*.zuora.com (Service Environments)
restservices*.zuora.com (Rest for Service Environments)
pt1.zuora.com
rest.pt1.zuora.com

 

Zuora Staff

Maintenance has been completed.  

Thanks!