What is happening?
Please be advised that due to a certificate change with Symantec, there are changes needed by your team to ensure there isn’t an impact to your API calls to Visa Developer. Below includes information on how to update your Trust Store and ensure that your systems are updated in time to avoid any business impact.
What is impacted?
All API calls to the following three domains
Why is this happening?
Visa Developer leverages GeoTrust – which is a subsidiary CA of Symantec - for the SSL/TLS certificates for the three domains listed above. Of late, DigiCert took over validation and issuance for all Symantec Website Security SSL/TLS certificates. As a result, the new certificates for the three domains are being issued from a new PKI infrastructure from DigiCert. This means that the Root CA certificate installed in your Trust Store (that is used to make API calls to the above three domains) has to be changed over from GeoTrust to DigiCert.
What do I need to do?
Action Item 1: Add the DigiCert Global Root CA certificate to your Trust Store that connects to https://sandbox.api.visa.com
- When: Before October 1st, 2018
This is to enable you to test out your Trust Store configuration in the Visa Developer Sandbox environment (https://sandbox.api.visa.com) before making the same change in the production API calls to https://api.visa.com
The DigiCert Global Root CA certificate is available for download at
https://dl.cacerts.digicert.com/DigiCertGlobalRootCA.crt (Overall link: https://www.digicert.com/digicert-root-certificates.htm)
If you use a JKS file as your Trust Store
Refer:https://docs.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#Stores)
You can perform the following instructions to add the DigiCert Global Root CA certificate to your Trust Store.
- Download the DigiCert Global Root CA certificate from https://dl.cacerts.digicert.com/DigiCertGlobalRootCA.crt to your local folder.
- Backup your Trust Store JKS file as a safeguard.
- Then, run the following keytool command to add it your Trust Store
keytool -import -alias DigiCertGlobalCA -keystore <Path to JKS (Trust Store) file> -file DigiCertGlobalRootCA.crt
As part of your earlier onboarding process to Visa Developer, you should have already added the GeoTrust Global Root CA certificate to your Trust Store.
Please ensure that you do not remove the original GeoTrust Global Root CA certificate until after October 27th.
Action Item 2: Add the DigiCert Global Root CA certificate to your Trust Store that connects to https://cert.api.visa.com and to https://api.visa.com
- When: Before October 16th, 2018
The steps to perform the same are exactly identical to the steps provided under “Action Item 1”. The only difference is the Trust Store you are applying it to.
Action Item 3: Remove the GeoTrust Global Root CA certificate from your Trust Store for all 3 domains impacted
- When: Post October 27th, 2018
Post October 27th, you can clean up the older GeoTrust Global CA certificate from your Trust Store since that will no longer be required.
If you use a JKS file as your Trust Store, then you can run the following command to remove the GeoTrust Global Root CA certificate from your Trust Store.
- Firstly, backup your Trust Store JKS file as a safe-guard.
- The keytool command below assumes that the alias for the GeoTrust Global Root CA certificate in the JKS is “geotrustglobalca”. If otherwise, please use the appropriate alias.
keytool -delete -alias geotrustglobalca -keystore <Path to JKS (TrustStore) file>
If you use middleware software at your site/data-center between your Java service and API call to Visa Developer, then please ensure that the Trust Store in your middleware software is configured appropriately.
Fundamentally, the system at your end that establishes the TLS connection with Visa Developer is the one that needs the Trust Store updated with the DigiCert certificate.
If you use programming languages other than Java, then you would need to perform the appropriate steps for your programming language/tech-stack for addition of the DigiCert Global Root CA certificate hosted at https://dl.cacerts.digicert.com/DigiCertGlobalRootCA.crt to the relevant Trust Store leveraged by your system.
Please note that failure to trust the DigiCert Global Root CA certificate before October 16th will result in Visa API service interruption.
Make sure to read the Geotrust Certificate FAQs for more.
If you have any questions please contact your designated Visa contact or developer@visa.com
