Please be advised that due to a certificate change with Symantec, there are changes needed by your team to ensure there isn’t an impact to your API calls to Visa Developer. Below includes information on how to update your Trust Store and ensure that your systems are updated in time to avoid any business impact.
Visa Developer leverages GeoTrust – which is a subsidiary CA of Symantec - for the SSL/TLS certificates for the three domains listed above. Of late, DigiCert took over validation and issuance for all Symantec Website Security SSL/TLS certificates. As a result, the new certificates for the three domains are being issued from a new PKI infrastructure from DigiCert. This means that the Root CA certificate installed in your Trust Store (that is used to make API calls to the above three domains) has to be changed over from GeoTrust to DigiCert.
The steps to perform the same are exactly identical to the steps provided under “Action Item 1”. The only difference is the Trust Store you are applying it to.
Action Item 3: Remove the GeoTrust Global Root CA certificate from your Trust Store for all 3 domains impacted
When: Post October 27th, 2018
Post October 27th, you can clean up the older GeoTrust Global CA certificate from your Trust Store since that will no longer be required.
If you use a JKS file as your Trust Store, then you can run the following command to remove the GeoTrust Global Root CA certificate from your Trust Store.
Firstly, backup your Trust Store JKS file as a safe-guard.
The keytool command below assumes that the alias for the GeoTrust Global Root CA certificate in the JKS is “geotrustglobalca”. If otherwise, please use the appropriate alias.
keytool -delete -alias geotrustglobalca -keystore<Path to JKS (TrustStore) file>
If you use middleware software at your site/data-center between your Java service and API call to Visa Developer, then please ensure that the Trust Store in your middleware software is configured appropriately.
Fundamentally, the system at your end that establishes the TLS connection with Visa Developer is the one that needs the Trust Store updated with the DigiCert certificate.
If you use programming languages other than Java, then you would need to perform the appropriate steps for your programming language/tech-stack for addition of the DigiCert Global Root CA certificate hosted at https://dl.cacerts.digicert.com/DigiCertGlobalRootCA.crt to the relevant Trust Store leveraged by your system.
Please note that failure to trust the DigiCert Global Root CA certificate before October 16th will result in Visa API service interruption.