Happy Business Starts Here

[ACTION REQUIRED]: Maintenance to Update SSL Certificate for zuora.com api.zuora.com rest.zuora.com

Zuora Support Moderator

We are updating the SSL certificate used for the following endpoints on December 12, 2018:

Production Endpoints:






Action may be required on your part prior to December 12, 2018


When will these changes take effect on the Zuora side?

December 12, 2018 starting at 1am through 11am


How will this change impact me?

 Your integration may stop functioning if your systems do not trust the correct root and intermediate certificate.

* Important Note: Some applications require a restart even if the trusted root store is in place in order to use the new certificate for SSL connections.

What action must I take?

If the Root and Intermediate Certificates are not trusted by your applications or libraries, you must complete the following actions before the scheduled maintenance to avoid any potential service disruption. Zuora cannot determine if you are impacted, so you will need to work with your technology teams to determine what actions for this certificate update.  


Download and install the Appropriate Root Certificate Bundle

If your integration does not trust the Comodo Root Certificates, then the certificate must be imported into your application’s trusted CA store.


Follow these steps to download the Comodo Root Certificates:

  1. The CA Certificates can be downloaded from the links below:


You will need the zuora-com-root.cer and zuora-com-intermediate.cer for the following sites:






What happens if I take no action?

If the Root Certificate is not trusted by your integration, and you take no action, your systems will not be able to connect to the Zuora Production endpoint  after this change is implemented. Please discuss this change with your technology teams to ensure you take the appropriate actions.


You are encouraged to register to the Zuora Community in order to receive the latest update on this topic.


Thank you for your support as it allows us to maintain the highest security standards at Zuora ensuring the safety of your data.

Best Regards,


Zuora Support Services & Community

Valued Scholar



Did not the following SSL certificate update be carried out in previous maintenance?:




Valued Scholar



Does this maintenance include the following endpoints? :


Zuora Support Moderator

Q: Did not the following SSL certificate update be carried out in previous maintenance?: *.zuora.com

A: This is a separate maintenance, related to endpoint fronted by *.zuora.com (eg, www.zuora.com, api.zuora.com, static.zuora.com, etc)


Q: Does this maintenance include the following endpoints? : www.zuora.com

A: Yes


Is there any way to test this prior to the deployment in production? Maybe similar to the last procedure mentioned earlier?

Savvy Scholar

I believe that a keystore which now works for connecting to the sandbox environment should also work for the production environment, if I understand anything about what has happened with these upgrades.


Someone from Zuora please correct me if that's wrong, however!

Valued Scholar


>December 12, 2018 starting at 1am through 11am

Is the time zone PST?


Zuora Support Moderator

Yes, all times are Pacific Time



Our integration with Zuora is around Zuora SOAP API & Hosted Payment Method.

I am not aware of any certificates we currently use.

How can I be sure if we are exempt from updating the certificate as part of this update?



Hi Team,


Does this SSL update include the following project? Please let us know as soon as possible.

Project: MicroFocus

Tenant:  6444




Zuora Support Moderator

As stated above, Zuora cannot determine impact to your integrations.  You will need to work with your technology teams to asses if you need to update integration certificates.  This impacts all production tenants using the cited endpoints as per the original article.



Honor Student

Hi Zuora team,


Can you please provide a POC for this certificate update? Who can we reach out to in case of an emergency?




Zuora Support Moderator

Hi @czarco

Please reach out to Zuora support for any issues resulting in this deployment that cannot be addressed locally through your own technology and security teams.   As for POC, I'm not familair with that aconym in this context.  Can you explain further?

Honor Student

Hi scott,


POC stands for point of contact, so I am assuming that we should reach to Zuora support for any issues?


Zuora Support Moderator

Correct - Support will be your primary point of contact if there is any issues on your end as outlined above.


Is the SSL certificate already updated for your sandbox endpoints so that we can run tests before the upgrade in production?

Zuora Support Moderator

Hi @gbarak

The apisandbox certificate is different so testing here doesn't apply.  I'll post an "unofficial" method you could test SSL connections to the same certificate in our staging environments below.

Zuora Support Moderator

Hi everyone

Attached you will find aa sample test method you could use to test the new certs which are setup in our Akamai STAGING environment. This method requires you to redirect the traffic using an/etc/hosts file to direct the traffic with the correct header for SPI.

If you choose to do this testing, please keep the following under advisement:

1. DO NOT run this test process in your actual production environment, and please do not proceed unless you understand the method being suggested - we encourage you to work with your integration and IT teams to validate
2. Please be aware that this test process is supplied as-is as a sample process. We will not provide support for this process.
3. This test will allow you to test SSL connections only. A successful connection confirms your integration is capable of passing the certificate check during the initial SSL negotiation. The core Zuora APIs, while available, may not function as per our Production standards and will not have your data or authentication setup.


Savvy Scholar



Will the intermediate certificate be included in the certificate chain from the production servers or not? Zuora best-practices (stated on the other thread) explicitly say that a server will send the entire cert chain, but as I already pointed out on that post, the PT1 servers do not do this.


Will the production servers do it or not? This matters, because it changes what we need to put in our keystores. I have had this question open and unanswered on the other thread since October 12. It's now nearly 2 months later, will it be possible to get an answer now that we're about to change production?