Support

GLN Change DigiCert  root Certificate RENEWAL for *.myvan.descartes.com Production February 13, 2024 14:00 UTC

 REMINDER - Descartes Systems GLN Messaging - *.myvan.descartes.com Certificate Change in Production - CHN-38733

Dear Valued Customer,

As part of Descartes continues effort to keep our environment current and secure, we will update our TLS certificate for the domains ending in *myvan.descartes.com. Besides the yearly client certificate update, the new certificate will also have a new root certificate in its chain.

The new Digicert is available in GLN pre-production from January 18, 2024 14:00 UTC.

Why are we doing this?

The current TLS certificate is expiring on 2024-02-16 23:59:59 UTC and in order to keep our services running, we will have to update our certificate before the expiry date.

Our Certificate Authority DigiCert is changing its root certificate to a second-generation root certificate. 
More info can be found here: https://knowledge.digicert.com/generalinformation/digicert-root-and-intermediate-ca-certificate-updates-2023.html

When are we doing this?

Our pre-production certificate will be replaced on Thursday 2024-01-18 14:00 UTC

Our production certificate will be replaced on Tuesday 2024-02-13 14:00 UTC

What is the impact?

For most connections, this change will be transparent because Descartes uses DigiCert and not use self-signed certificates.  If you connect with an Internet browser, your browser or operating system will be able to validate the new certificate chain.

However, some setups require the specific upload of the root and/or client TLS certificate. 

What is expected of you?

If you are connecting via a browser: No action is required, and you will be able to continue working without interruption.

If you have a backend (system to system) connection: Check with the team managing this connection if they need to upload the Root and/or Client TLS certificate.

If we are expected to connect to your environment and use the TLS client certificate to authenticate, please ensure that validation is done by subject, the new root CA and a CRL check.

What does not change?

Our AS2 S/MIME certificate is not changing.  If you have an AS2 S/MIME connection, DO NOT change the certificate used for signature verification/encryption.  This certificate will remain the same.

Details of the certificate being replaced
 Root CA: DigiCert Global Root CA  (A8:98:5D:3A:65:E5:E5:C4:B2:D7:D6:6D:40:C6:DD:2F:B1:9C:54:36)

Subject: /CN=*.myvan.descartes.com/O=The Descartes Systems Group Inc./L=Waterloo/S=Ontario/C=CA 

Thumbprint:     42:7b:ec:fb:0c:74:d4:10:15:63:5f:14:fd:b9:d1:75:74:14:26:d3

S/N:    0d:2d:64:e6:ae:8a:6f:d2:6a:09:8a:ab:d4:a9:e5:f7

Expiry Date: 2024-02-16 23:59:59 UTC

Details of the new certificate

Root CA: DigiCert Global Root G2 (DF:3C:24:F9:BF:D6:66:76:1B:26:80:73:FE:06:D1:CC:8D:4F:82:A4)
Subject: /CN=*.myvan.descartes.com/O=The Descartes Systems Group Inc./L=Waterloo/S=Ontario/C=CA (no change)

Descartes strongly recommends to validate a TLS client certificate by the Subject DN and the issuing CA, instead of by the serial number or fingerprint.

Applying different validation strategies may lead to outages as Descartes will annually renew its TLS certificates per industry best practices.

To raise any questions or issues, please refer to the Customer Support Portal or email the Service Desk. Reference CHN-38733

Kind Regards,

Descartes Service Desk

 Email: servicedesk@descartes.com

This email is for informational purposes only; please do not reply to it. All inquiries are to be directed to servicedesk@descartes.com or you can visit our client portal at https://servicedesk.descartes.com

Descartes Systems Group

www.descartes.com