Happy Business Starts Here

Re: [ACTION REQUIRED]: Maintenance to Update SSL Certificate for zuora.com, connect.zuora.com,

Zuora Support

We are updating the SSL certificate used for the following endpoints:


  1. eu.zuora.com - All EU Production Endpoints (soap.eu.zuora.com,dataloader.eu.zuora.com,zconnect.eu.zuora.com,static.eu.zuora.com,rest.eu.zuora.com,aqua.eu.zuora.com)
  2. *.zuora.com - US Production Rest and API, Sandbox, and PT1 (<anything>*zuora.com)
  3. rest.pt1.zuora.com - US Production PT1 Rest Endpoint

We are updating the SSL certificate used for the endpoints listed above from Symantec to Comodo, Digicert, or AWS issued certificates.

NOTE: no change required for sandbox.eu.zuora.com as it already has Comodo certificate


Action will be required on your part prior to October 10th, 2018 if your integration certificate store does not trust the appropriate new root and intermediate certificate chain (mentioned below). Please work with your technology teams to determine what actions you must take to ensure you do not experience any disruption in Zuora services.


When will these changes take effect on the Zuora side?


  • The change will occur on the schedule outlined below.
    • These changes will occur on October 10th, starting at 1AM PT and continuing until 11:00AM PT.

How will this change impact me?


Your integration will stop functioning if your systems do not trust the correct root and intermediate certificate.
Important Note: Some applications require a restart even if the trusted root store is in place in order to use the new certificate for SSL connections.

What action must I take?


If the Root and Intermediate Certificates are not trusted by your applications or libraries, you must complete the following actions before the scheduled maintenance to avoid any potential service disruption. Please work with your technology teams to determine what actions you must take to trust this CA.


Download and install the Appropriate Root Certificate Bundle
If your integration does not trust the Comodo Root Certificates, then the certificate must be imported into your application’s trusted CA store.

Follow these steps to download the Comodo Root Certificates:

  1. The CA Certificates can be downloaded from the links below:



.eu.zuora.com - requires "eu-zuora-com-root.cer" and "eu-zuora-com-intermediate.cer"
*.zuora.com (apisandbox.zuora.com, rest.zuora.com, and api.zuora.com) - requires "zuora-com-root.cer" and "zuora-com-intermediate.cer"
rest.pt.zuora.com - requires "rest-pt1-zuora-com-fullrootchain.ca-bundle"

  1. Import these certificates into your trusted CA store based on your system parameters.
  2. Restart services if applicable.

We have provided basic instructions to load the the root and intermediate certificates for Java and .NET. For other applications, please follow up with your technology teams to determine what actions must be taken.

For Java:

Run the following command from your application server(s) that make connections to Zuora systems to import root and intermediate certificates into your keystore. Note, text in blue must be replaced based on your system specifics.

  • Root Certificate: keytool -import -trustcacerts -alias Zuora-AddTrustExternalCARoot.crt -file AddTrustExternalCARoot.crt -keystore <Name and path to you java keystore file, typically named keystore.jks>
  • Intermediate Certificate 1: keytool -import -trustcacerts -alias Zuora-COMODORSAExtendedValidationSecureServerCA.crt -file COMODORSAExtendedValidationSecureServerCA.crt -keystore <Name and path to you java keystore file, typically named keystore.jks>


  • Intermediate Certificate 2: keytool -import -trustcacerts -alias Zuora-COMODORSACa.crt -file COMODORSACa.crt -keystore <Name and path to you java keystore file, typically named keystore.jks>

For .NET on Windows 2008/2012 R2 & Windows 2016:

Click here for instructions on adding certificates to Trusted Certification Authorities store for local computer

What happens if I take no action?

If the Root Certificate is not trusted by your integration, and you take no action, your systems will not be able to connect to the Zuora Production endpoint  after this change is implemented. Please discuss this change with your technology teams to ensure you take the appropriate actions.

You are encouraged to register to the Zuora Community in order to receive the latest update on this topic.

Thank you for your support as it allows us to maintain the highest security standards at Zuora ensuring the safety of your data.


Best Regards,

Zuora Support Services & Community






If our services use the URLs you specified should we use the Production Certs or the Services Certs? The Production Certs still seem to reference Symantec, so we're not sure if those are the right ones to use.

Valued Scholar

You didn't mention the rollout for the EU sandbox? 

How are we supposed to see if this is working or not prior to the EU production roll out?





As per this, Zuora is planning to update symantec to Comodo certs for all US Data centers [Prod/Sandbox/Services Environment]

but the link which you mentioned clearly indicate only for Services Environment. 


Please update the link article with latest certs or clarify here. 



Savvy Scholar

This is some confusing information, and I have a few questions:


We're pointing to the NA sandbox environment, but not using the "sandbox.na.zuora.com" endpoint. If we don't point specifically to those hosts, (i.e. we use the "apisandbox-api.zuora.com" endpoint) will our integration be affected by the change on September 3rd, September 5th, or September 12th?


The "production" date is listed as September 12, but it includes the api sandbox ("rest.apisandbox.zuora.com") AND the production ("rest.zuora.com") endpoints. But there is also a "production date" which lists the same "rest.zuora.com" endpoint for September 5th. If I'm reading this correctly, the sandbox environment is going to get altered either after, or at the same time as, the production environment? It's impossible to tell which date applies to which environment using the schedule as posted. 


Also, September 3rd is Labor Day, and there will be massive problems with scheduling changes of this nature on that day as most of the workforce will, I imagine, be taking the day off.


Please, give some clarity to this scheule as soon as possible, as we will need to make some emergency changes to the system before next week's scheduled changes, and we need to start working on them RIGHT NOW.


Also in the future please give more time in advance of an important change like this. Posting after COB (EDT) on Friday less than a week before the first scheduled changes is not enough time in which to operate.






Senior Tutor

Can this be moved out a week?  We're going into a US holiday weekend and this will not give us enough time for this to bake in QA and allow us time to fully test. 


First and foremost, we need the correct certificate chain attached to this post! Second, it would good to have atleast 2 weeks gaps in between annoucement and actual implementation especially when an long weekend is involved.


So can we have the new comodo certificate chain for all URLs including Sandbox & Production????????

Zuora Staff

Hi folks


We are reviewing this issue with our Engineering team and expect to have a response shortly. 



Valued Scholar

We are using apisandbox.zuora.com URLs. Do we need the SSL certificate changes to be uptaken ?


Thanks !


September 3rd is scheduled for Sandboxes is that also includes the Services(Production copy) environments?. So we can test the SSL cert changes in our services environments. 


Hi Team,

Could you please provide the End time of these changes?


  • Wednesday, August 29th 2018 7:00AM PDT: All Regions Connect - connect.zuora.com (connect.eu.zuora.com, connect.na.zuora.com), *.apps.zuora.com, *.apps.eu.zuora.com>End Time of change?
  • Monday, September 3rd 2018 7:00AM PDT: US Sandbox - sandbox.na.zuora.com (static.sandbox.na.zuora.com, rest.sandbox.na.zuora.com)>End Time of change?
  • Wednesday, September 5th 2018 7:00AM PDT: US Production - www.zuora.com (static.na.zuora.com, static.zuora.com, zuora.com, rest.na.zuora.com, na.zuora.com, rest.zuora.com, api.zuora.com) >End Time of change?
  • Wednesday, September 12th 2018 7:00AM PDT: US Production, PT1, Sandbox- *.zuora.com, rest.pt1.zuora.com, rest.zuora.com, rest.apisandbox.zuora.com, eu.zuora.com >End Time of change?(soap.eu.zuora.com,dataloader.eu.zuora.com,zconnect.eu.zuora.com,static.eu.zuora.com,rest.eu.zuora.com,aqua.eu.zuora.com), origin-rest.zuora.com

Please share as soon as possible.


So the plan is to update both rest.apisandbox.zuora.com and rest.zuora.com at the same time? So you're giving your customers no opportunity to test the cert change against your test environment prior to applying the change to your production?


@scottb- Do you have an update on this? You were going to get back to us after checking with Zuora Engineering? Please confirm on priority so that we can plan activities.

Senior Tutor

Asking again for this to be moved to a week out due to the holiday.  Can this be moved out a week?  We're going into a US holiday weekend and this will not give us enough time for this to bake in QA and allow us time to fully test. 


Let us know if Zuora is seriosuly performing this activity and clarifying all concerns well in advance. 

With lack of information and no response on comment section clearly indicate differently. 

  • I don't see the new Cert for the Performance Type Tenants - listed in the KB per the link given above is EU and US - APISandbox and Production along with US Services.
  • I am also with everyone else that there is no way for us to test if Production and APISandbox are all done within 2 days of each other
  • Our API Sandbox is actually APISANDBOX.Zuora.com but that's not listed above unless it's included in *.zuora.com and then it's the same day as our Production?
  • Why would the change be made in Production before the PT and Sandbox environments? We use PT environments for our Day 2 and Project
  • Monday 9/3 as previously mentioned is a US Holiday
  • We also need a better hourly timeline for implementation; we are a global corporation and things are running 24/7 so we won't know when to update the certificate until it starts failing.