Skip to main content

IMMEDIATE ACTION REQUIRED: MFA Root 3 Certificate Expiration


SecureAuth's SHA 1 Root Certificate Authority (CA) Certificate, MFA Root 3, expires March 30, 2017. Appliances, devices, workstations, and anything else using the certificate must be updated prior to the expiration to continue using SecureAuth's certificate services.

Need to Know

SecureAuth has moved its infrastructure to SHA 2, as SHA 1 is no longer deemed secure. With that, only SHA 2 certificates are being issued, and the SHA 1 Root CA MFA Root 3, which is utilized to issue certificates for certificate-based authentication, expires on March 30, 2017.

  • If SecureAuth IdP appliances have not been updated to SHA 2, then that action must be completed first (see Scenario 1 below for more information), followed by uploading the latest certificates to IdP, VPNs, workstations, etc. and updating the IdP configuration

  • If SecureAuth IdP appliances have been updated to SHA 2, but the SHA 1 certificates are still in use, then the SHA 1 certificates must be replaced with the latest certificates and the latest IdP configuration (see Scenario 2 below for more information)

  • If SecureAuth IdP appliances have been updated to SHA 2 and no SHA 1 certificates are in use, then SecureAuth recommends that the latest certificates be uploaded to IdP, VPNs, workstations, etc. as a best practice (see Scenario 3 below for more information)

In the past, not all environments could be updated with SHA 2 certificates due to VPNs and other devices not supporting SHA 2 ECDSA (512) certificates; however, the latest certificate bundle includes SHA 2 RSA (384) certificates, which can be uploaded to those devices to enable a working relationship with SecureAuth IdP's SHA 2 Root CAs.

The SecureAuth ECDSA certificates are still supported for those customers that have already updated their environments.

Failure to update SecureAuth IdP appliances to point to the SHA 2 enrollment endpoints and other devices with SHA 2 certificates will result in disruption of any certificate-based authentication, as of March 30, 2017.

Scenarios & Instructions

Select the scenario that best describes the SecureAuth IdP environment: