Happy Business Starts Here

[Action Required] - Certificates for some US Zuora endpoints will be rotated @ 5:00pm -7:00pm PT Thu

Community Manager

This is a notification that there will be a maintenance to rotate SSL certificates for the following endpoints on Thursday August 20th between 5:00pm and 7:00pm PT:










This maintenance is being performed to remove SHA-1 signed certificates from our endpoints.


Action will be required on your part prior to August 20th, 2020 if your integration certificate store does not trust the appropriate new root and intermediate certificate chain (mentioned below). Please work with your technology teams to determine what actions you must take to ensure you do not experience any disruption in Zuora services.


When will these changes take effect on the Zuora side?


  • The change will occur on the schedule outlined below.
    • These changes will occur on August 20th, starting at 5PM PT and continuing until 7:00PM PT.

How will this change impact me?


Your integration will stop functioning if your systems do not trust the correct root and intermediate certificate.

* Important Note: Some applications require a restart even if the trusted root store is in place in order to use the new certificate for SSL connections.


What action must I take?


If the Root and Intermediate Certificates are not trusted by your applications or libraries, you must complete the following actions before the scheduled maintenance to avoid any potential service disruption. Please work with your technology teams to determine what actions you must take to trust this CA.


Download and install the Appropriate Root Certificate Bundle

If your integration does not trust the Comodo Root Certificates, then the certificate must be imported into your application’s trusted CA store.


Follow these steps to download the Comodo Root Certificates:

  1. The CA Certificates can be downloaded from the links below:




  1. Import these certificates into your trusted CA store based on your system parameters.
  2. Restart services if applicable.

We have provided basic instructions to load the the root and intermediate certificates for Java and .NET. For other applications, please follow up with your technology teams to determine what actions must be taken.


For Java:

Run the following command from your application server(s) that make connections to Zuora systems to import root and intermediate certificates into your keystore. Note, text in blue must be replaced based on your system specifics.

  • Root Certificate: keytool -import -trustcacerts -alias Zuora-AddTrustExternalCARoot.crt -file AddTrustExternalCARoot.crt -keystore <Name and path to you java keystore file, typically named keystore.jks>
  • Intermediate Certificate sample commands to run against each certificate from the environment specific section on the above KC article.
  • 1: keytool -import -trustcacerts -alias Zuora-COMODORSAExtendedValidationSecureServerCA.crt -file COMODORSAExtendedValidationSecureServerCA.crt -keystore <Name and path to you java keystore file, typically named keystore.jks>
  • 2: keytool -import -trustcacerts -alias Zuora-COMODORSACa.crt -file COMODORSACa.crt -keystore <Name and path to you java keystore file, typically named keystore.jks>

For .NET on Windows 2008/2012 R2 & Windows 2016:


Click here for instructions on adding certificates to Trusted Certification Authorities store for local computer


What happens if I take no action?


If the Root Certificate is not trusted by your integration, and you take no action, your systems will not be able to connect to the Zuora Production endpoint  after this change is implemented. Please discuss this change with your technology teams to ensure you take the appropriate actions.



You are encouraged to register to the Zuora Community in order to receive the latest update on this topic.


Thank you for your support as it allows us to maintain the highest security standards at Zuora ensuring the safety of your data.


Best Regards,


Zuora Support Services & Community

Savvy Scholar



What about api.zuora.com endpoint?

Community Manager

Hi Guy,


The endpoints mentioned above are the only affected endpoints.




Zuora Support

This maintenance has been completed.