Security Certificate Help
Security Certificate Update
On August 2, 2017, DigiCert announced that it was purchasing all website and public key infrastructure (PKI) services from Symantec. This acquisition included Symantec subsidiaries Thawte, GeoTrust and RapidSSL. Once the transition was complete, a subsequent announcement was released notifying customers that, effective November 30, 2017, all certificates issued from DigiCert and its subsidiaries would use a new public key infrastructure (PKI) hierarchy.
What Was Changed?
The following changes will go into effect on March 13, 2018, when the National Student Clearinghouse renews our Extended Validation Certificate for secure.studentclearinghouse.org:
- DigiCert High Assurance EV Root CA (SHA1) will replace Thawte Primary Root CA (SHA1)
- DigiCert EV RSA CA 2018 (SHA256) will replace Thawte EV SSL CA – G3 Intermediate CA (SHA256)
Do I Need to Do Anything?
If you are accessing the National Student Clearinghouse directly using a web browser and operating system that has been fully patched, you should not be affected by this change. Edge, Internet Explorer, Firefox, Chrome, Safari, and most other current web browsers trust sites that use SSL certificates for secure communications using certificate authority (CA) trust chains, which are updated automatically when the browser is patched.
However, your IT department may need to make changes if you are experiencing connection problems and your application or service is configured to trust only the following:
- Thawte Primary Root CA
- Thawte EV SSL CA – G3 Intermediate CA
Resolving Connection Problems
If you are having problems connecting to our services or have an application that is accessing the National Student Clearinghouse through the secure.studentclearinghouse.org URL, we recommend you take one of the following actions.
Solution 1: Reconfigure your application to use secureapi.studentclearinghouse.org. The certificate used for SSL communication to this site does not expire until March 10, 2019. However, secureapi currently uses the same Root CA and Intermediate CA that secure.studentclearinghouse.org uses today. As a result, solution 1 only postpones the need for you to implement solution 2 until next year.
Solution 2: Download the following certificates and add them to your trust store. You may need to right-click the links below and select “Save target as…” in some browsers.
- Download the DigiCert High Assurance EV Root CA directly from Thawte
- Download the DigiCert EV RSA CA 2018 CA directly from Thawte
Incorporating the certificate into your systems to ensure your applications and services can communicate securely with secure.studentclearinghouse.org varies considerably from one technology to another. The following links may provide some guidance:
- Oracle Document – Managing Wallets and Certificates
- Oracle Document – How to Import a Trusted Certificate into the Package Keystore
- Adobe Document – How to import certificates to ColdFusion’s truststore
Additional Helpful Links
- DigiCert Article – DigiCert Completes Acquisition of Symantec Website Security and Related PKI Solutions
- SSL Support Desk Article – Symantec to Transition to New PKI Root Structure
- The Cybersecurity Insider Article – Symantec and DigiCert Acquisition FAQs
- Symantec Article – How certificate chains work
- Symantec Article – Google’s SHA-1 Deprecation Plan for Chrome
- DigiCert Article – What is an SSL Certificate?
- Microsoft Article – Working with Certificates
- Email firstname.lastname@example.org to request further assistance