IMMEDIATE ACTION REQUIRED: MFA Root 3 Certificate Expiration
Warning
SecureAuth's SHA 1 Root Certificate Authority (CA) Certificate, MFA Root 3, expires March 30, 2017. Appliances, devices, workstations, and anything else using the certificate must be updated prior to the expiration to continue using SecureAuth's certificate services.
Need to Know
SecureAuth has moved its infrastructure to SHA 2, as SHA 1 is no longer deemed secure. With that, only SHA 2 certificates are being issued, and the SHA 1 Root CA MFA Root 3, which is utilized to issue certificates for certificate-based authentication, expires on March 30, 2017.
If SecureAuth IdP appliances have not been updated to SHA 2, then that action must be completed first (see Scenario 1 below for more information), followed by uploading the latest certificates to IdP, VPNs, workstations, etc. and updating the IdP configuration
If SecureAuth IdP appliances have been updated to SHA 2, but the SHA 1 certificates are still in use, then the SHA 1 certificates must be replaced with the latest certificates and the latest IdP configuration (see Scenario 2 below for more information)
If SecureAuth IdP appliances have been updated to SHA 2 and no SHA 1 certificates are in use, then SecureAuth recommends that the latest certificates be uploaded to IdP, VPNs, workstations, etc. as a best practice (see Scenario 3 below for more information)
In the past, not all environments could be updated with SHA 2 certificates due to VPNs and other devices not supporting SHA 2 ECDSA (512) certificates; however, the latest certificate bundle includes SHA 2 RSA (384) certificates, which can be uploaded to those devices to enable a working relationship with SecureAuth IdP's SHA 2 Root CAs.
The SecureAuth ECDSA certificates are still supported for those customers that have already updated their environments.
Failure to update SecureAuth IdP appliances to point to the SHA 2 enrollment endpoints and other devices with SHA 2 certificates will result in disruption of any certificate-based authentication, as of March 30, 2017.
Scenarios & Instructions
Select the scenario that best describes the SecureAuth IdP environment:
Notice
This scenario applies only to customers that have SecureAuth IdP versioned pre-8.1 and have not already run ACRU to update the appliance(s) to SHA 2
1. Contact SecureAuth Support to run the Appliance Certificate Renewal Utility (ACRU) on the SecureAuth IdP appliance(s)
2. Upload the latest SecureAuth IdP certificates (Root and Intermediates) to their respective certificate stores on the appliance(s)
G3Certs.zip and G3Certs_2.zip downloaded here
3. In the System Info tab of the certificate enrollment realm(s), update the Certificate URL in the WSE 3.0 / WCF Configuration section
A If VPNs / Devices Support ECDSA and Certificate Use WSE 3.0 = True
http://cloud.secureauth.com/certservice/Cert.svc/msg
B If VPNs / Devices Support ECDSA and Certificate Use WSE 3.0 = False
https://cloud.secureauth.com/certservice/Cert.svc
C If VPNs / Devices DO NOT Support ECDSA and Certificate Use WSE 3.0 = True
http://nge-cloud.secureauth.com/certservicersa/Cert.svc/msg
D If VPNs / Devices DO NOT Support ECDSA and Certificate Use WSE 3.0 = False
https://nge-cloud.secureauth.com/certservicersa/Cert.svc
Warning
For configuration D, Port 443 must be open for nge-cloud.secureauth.com to enable certificate enrollment from the endpoint
A
 |
B
 |
C
 |
D
 |
4. Update the web.config file in the certificate realm(s) with the relevant Root and Intermediate Certificate BLOBs
VPNs / Devices Support ECDSA | VPNs / Devices DO NOT Support ECDSA |
|---|---|
Copy the SecureAuth G3 Root Certificate Authority Key Value (SHA2-512 ECDSA), and download the SHA2-512 ECDSA InterCert Key Value file here (bottom of page) | Copy the SecureAuth G3 Root Certificate Authority 2 (SHA2-384 RSA) Key Value, and download the SHA2-384 RSA InterCert Key Value file here (bottom of page) |
Search for <add key="RootCert" and replace the value with the new, relevant Root Cert BLOB
Search for <add key="InterCert" and replace the value with the new, relevant Intermediate Cert BLOBs
 |
 |
5. Upload the relevant Root and Intermediate certificates to VPNs and other devices
VPNs / Devices Support ECDSA | VPNs / Devices DO NOT Support ECDSA |
|---|---|
Download the G3Certs.zip here, and upload the certificates to VPNs / devices | Download the G3Certs_2.zip here, and upload the certificates to VPNs / devices |
6. Push out the same Root and Intermediate certificates used in step 5 to user workstations via GPO / software distribution
Tip
If the certificates cannot be pushed out via GPO / software distribution, then employ SecureAuth's Certificate Installer (Windows / Mac)
7. Have users re-enroll for certificates
Notice
This scenario applies only to customers that have SecureAuth IdP versions 8.1+ or pre-8.1 versions that have been updated to SHA 2, but that still utilize SHA 1 certificates
Typically, the certificates were not updated due to VPNs and devices not supporting SHA 2 ECDSA certificates; but now SecureAuth provides SHA 2 RSA certificates that are supported by those products
1. Upload the latest SecureAuth IdP certificates (Root and Intermediates) to their respective certificate stores on the appliance(s)
G3Certs.zip and G3Certs_2.zip downloaded here
2. In the System Info tab of the certificate enrollment realm(s), update the Certificate URL in the WSE 3.0 / WCF Configuration section
A If VPNs / Devices Support ECDSA and Certificate Use WSE 3.0 = True
http://cloud.secureauth.com/certservice/cert.svc/msg
B If VPNs / Devices Support ECDSA and Certificate Use WSE 3.0 = False
https://cloud.secureauth.com/certservice/cert.svc
C If VPNs / Devices DO NOT Support ECDSA and Certificate Use WSE 3.0 = True
http://nge-cloud.secureauth.com/certservicersa/cert.svc/msg
D If VPNs / Devices DO NOT Support ECDSA and Certificate Use WSE 3.0 = False
https://nge-cloud.secureauth.com/certservicersa/cert.svc
Warning
For configuration D, Port 443 must be open for nge-cloud.secureauth.com to enable certificate enrollment from the endpoint
A
 |
B
 |
C
 |
D
 |
Notice
For SecureAuth IdP 9.0.0+ appliances, or appliances that have undergone ACRU Lite process, if the VPNs / devices do not support ECDSA certificates, then use either the C or D endpoint; but if the products do support ECDSA and the current endpoints are for us-cloud, then set the endpoint as follows:
If VPNs / Devices Support ECDSA and Certificate Use WSE 3.0 = True
http://us-cloud.secureauth.com/certservice/cert.svc/msg
 |
If VPNs / Devices Support ECDSA and Certificate Use WSE 3.0 = False
https://us-cloud.secureauth.com/certservice/cert.svc
 |
3. Update the web.config file in the certificate realm(s) with the relevant Root and Intermediate Certificate BLOBs
VPNs / Devices Support ECDSA | VPNs / Devices DO NOT Support ECDSA |
|---|---|
Copy the SecureAuth G3 Root Certificate Authority Key Value (SHA2-512 ECDSA), and download the SHA2-512 ECDSA InterCert Key Value file here (bottom of page) | Copy the SecureAuth G3 Root Certificate Authority 2 (SHA2-384 RSA) Key Value, and download the SHA2-384 RSA InterCert Key Value file here (bottom of page) |
Search for <add key="RootCert" and replace the value with the new, relevant Root Cert BLOB
Search for <add key="InterCert" and replace the value with the new, relevant Intermediate Cert BLOBs
 |
 |
4. Upload the relevant Root and Intermediate certificates to VPNs and other devices
VPNs / Devices Support ECDSA | VPNs / Devices DO NOT Support ECDSA |
|---|---|
Download the G3Certs.zip here, and upload the certificates to VPNs / devices | Download the G3Certs_2.zip here, and upload the certificates to VPNs / devices |
5. Push out the same Root and Intermediate certificates used in step 5 to user workstations via GPO / software distribution
Tip
If the certificates cannot be pushed out via GPO / software distribution, then employ SecureAuth's Certificate Installer (Windows / Mac)
6. Have users re-enroll for certificates