Page 1 of 1

Alerts for Expiring CA Certificates

Posted: Wed May 29, 2019 2:43 pm
by Support_Tim
If you have received a certificate expiration warning like the one below, it means a CA Certificate is expiring. This does not mean it is in use, and most likely is not – in which case it can be deleted. If you are not sure, you can export a copy of the certificate first. This will create a backup if you need to import it back in.

As with any CA certificate, it will only affect GoAnywhere MFT transfers if it is actually being used by one of your SSL-enabled listeners, or to build trust for a public certificate that has been provided to you by a trading partner. Its use is unlikely since these are older SHA1 RSA 1024 certs.
CA Cert exp.PNG
CA Cert exp.PNG (10.25 KiB) Viewed 11728 times
GoAnywhere and the Java JRE provide these CA certificates for your convenience. When you install GA, all the latest CA certificates are loaded into the KMS system vault for you. When you upgrade GA, they are not. This is to ensure that CA certificates in use are not overwritten.
If you are using a CA certificate for an SSL-enabled service (such as HTTPS or FTPS host/listener), it will be found as part of a chain in the Key Manage System (KMS) System vault or your Private Key Store (if using file-based certificates). If you find that you are using an expiring CA certificate (unlikely), you can simply download a new CA certificate from the CA website and import into the System vault in the KMS, or if you know which certificate supersedes it, then you can open the Java Key Store cacerts at the location below to export, then import into GA. The password is ‘changeit’ (no quotes).
See your user guide for more information on KMS and certificate management (exporting / importing).

If the expiring certificate is being used by a trading partner’s public certificate, you will receive a “PKIX” error when it expires (or up to 30 days after). To test for this prior to expiration, one option is to export the CA certificate from the trusted key store and then delete it from the KMS or key store. If the trust chain fails (PKIX error), the resolution is to download the new CA certificate from the CA website or export it from the cacerts JKS file in the JRE. The password is ‘changeit’ (no quotes).

As of May 2019, these are the CA certificates expiring soon. These are older root certs that are likely not in use. You may see expiration alerts for 1 or all.
valicertclass2ca
secomvalicertclass1ca
utndatacorpsgcca
equifaxsecureebusinessca2

The following Certificates are expiring in July 2019:
certplusclass2primaryca
certplusclass3pprimaryca
utnuserfirstclientauthemailca
utnuserfirsthardwareca
utnuserfirstobjectca
deutschetelekomrootca2

The following Certificates are expiring in May 2020:
keynectisrootca
addtrustclass1ca
addtrustqualifiedca
addtrustexternalca

The following Certificates are expiring in June 2020:
equifaxsecureebusinessca1
equifaxsecureglobalebusinessca1

If you have been instructed to install a new CA certificate, it is most likely in the JRE. Only follow the below instructions if you are specifically instructed to use a CA certificate that is not in the system vault (KMS) or trusted key store (file based).

1. To retrieve replace CA root certs from Java, first determine the Java location. In GA, Click Help > About > System Info. Copy the the Java Home path.
2. Go to the Encryption menu and click File Based Keys > Certificates. Then choose Open Key Store > Other.
3. Paste the path into Key Store Location, then click the ellipses to navigate to the subfolder …/lib/security. Select the file cacerts.
4. Enter the password ‘changeit’ and click “Open”.
5. You can now export the latest root certs for your Java version as instructed.