What is happening?

Authorize.net is changing the SSL/TLS certificates that applications and websites use to communicate with our systems, moving from Entrust to DigiCert. This change will impact both browser-based and server-to-server interactions.

What this means?

For non-API users interacting with Authorize.net via a web browser, there's no change necessary. Just ensure that your browser is up to date.

Merchants who utilize Authorize.net APIs and endpoint URLs in their websites or applications will need to make updates. They will need to integrate and use the newly-issued Root and Intermediate (CA) SSL certificates from DigiCert. This should be done before the scheduled revocation dates to avoid disruptions.

Certificate Migration Schedule

• Sandbox: August 15th, 2024
• Production: September 17th, 2024

Action Required

Merchants using Authorize.net APIs and endpoint URLs should coordinate with their developer or hosting/solution provider to implement all necessary measures to ensure their connections to Authorize.net follow industry standards. This includes updating their systems with the new Root and Intermediate (CA) SSL certificates.

If testing is needed, it is recommended to be done in the Sandbox environment as soon as Authorize.net releases the new DigiCert SSL certificates on August 15th, 2024. Testing in the Production environment won't be possible before the Production release date on September 17th, 2024.

Scenarios Requiring Action:

1. Users whose applications or websites pin the leaf certificate will need to update their settings.
2. Users whose applications or websites use custom trust stores will need to import the DigiCert CAs.
3. Users whose applications or websites pin to the CAs will need to update their pins.

Important Note

Do not revoke or remove any of your existing Entrust certificates linked with Authorize.net endpoints before the scheduled dates mentioned above. Until the cut-off dates, the only supported certificates will be the Entrust SSL certificates. You may add the new certificates to your system and verify their functionality in the Sandbox environment.

Downloading the Certificates

You can download the latest version of the Root and Intermediate (CA) certificates from the zip file in the Attachments section below.

If your application requires server-level certificate trust, install (trust) the new certificates before the existing certificates expire to avoid any production impact. The link to the Server-Level (leaf) SSL certificate will be updated later in this support article once they become available. Please note, we recommend that merchants trust only the Root and Intermediate CA SSL certificates on all secure endpoints. This avoids the annual need to renew the server-level certificate.

For additional information on obtaining the latest version of Authorize.net's SSL certificate, please refer to our support article: Where can I find the latest version of Authorize.nets server-level SSL certificates?

Impacted API Endpoints:

Sandbox URLs

• test.authorize.net
• apitest.authorize.net

Production URLs

• secure.authorize.net
• secure2.authorize.net
• api.authorize.net
• api2.authorize.net