The GCP Platform has new certificates issued from Let's Encrypt, not from DigiCert. This helps provide better security and customer experience.
If your Symphony Messaging instance is scheduled to be migrated to our new Google Cloud Platform (GCP), please check if you have the latest Let's Encrypt Root and Intermediate certificates within your default CACERT or Custom truststore. If you do not have the latest certificates, you need to import the relevant certificates. This is required to keep your components, applications, and bots working seamlessly post-migration.
Note: This migration will help Symphony provide higher service availability, improved scalability, and the frequent delivery of new capabilities without downtime. Symphony Messaging instances hosted by Google Cloud Platform will deliver the same features, functionality, and security tenets, along with all other operational elements.
This article explains how to import the Let's Encrypt Root and Intermediate Certificates into your respective truststores. To learn more about the commands to do so, please refer to the article Troubleshooting keystore certificates using Java Keytool.
The certificates are on the Let's Encrypt website and we have made the ones Symphony uses available below (Table 1) in two formats - DER and PEM - directly from Let's Encrypt.
| Format | Certificate Type | Certificate CN | Certificate Download URL | Status |
| DER | Root | ISRG Root X1 | https://letsencrypt.org/certs/isrgrootx1.der | |
| DER | Intermediate | R12 | https://letsencrypt.org/certs/2024/r12.der | |
| DER | Intermediate | R13 | https://letsencrypt.org/certs/2024/r13.der | |
| PEM | Root | ISRG Root X1 | https://letsencrypt.org/certs/isrgrootx1.pem | |
| PEM | Intermediate | R12 | https://letsencrypt.org/certs/2024/r12.pem | |
| PEM | Intermediate | R13 | https://letsencrypt.org/certs/2024/r13.pem |
Table 1: Certificate outline availability table
The following Intermediate Certificates have been retired from Let's Encrypt and will not be used when issuing new certificates to your Symphony Messaging instance. See Table 2 below to see these certificates. To prevent any breaks in the chain, please ensure you update it with the current values listed in Table 1.
| Format | Certificate Type | Certificate CN | Certificate Download URL | Status |
| DER | Intermediate | R10 | https://letsencrypt.org/certs/2024/r10.der | ⚠️ |
| DER | Intermediate | R11 | https://letsencrypt.org/certs/2024/r11.der | ⚠️ |
| PEM | Intermediate | R10 | https://letsencrypt.org/certs/2024/r10.pem | ⚠️ |
| PEM | Intermediate | R11 | https://letsencrypt.org/certs/2024/r11.pem | ⚠️ |
Table 2: Retired certificates outlined; these will no longer be used to issue new Symphony Messaging instance certificates
Use a Linux command to download the certificates to your local machine and import them into your respective truststores (Section 1).
# DER format: wget https://letsencrypt.org/certs/isrgrootx1.der wget https://letsencrypt.org/certs/2024/r12.der wget https://letsencrypt.org/certs/2024/r13.der # PEM format: wget https://letsencrypt.org/certs/isrgrootx1.pem wget https://letsencrypt.org/certs/2024/r12.pem wget https://letsencrypt.org/certs/2024/r13.pem
Section 1: Linux command to download the Root & Intermediate certificates.
Additionally, if you want to convert the PEM file to CER format, download the PEM file using the Linux commands above (Section 1) and follow the commands below (Section 2) to convert it to a CER.
$ openssl x509 -inform PEM -in isrgrootx1.pem -outform DER -out isrgrootx1.cer
$ openssl x509 -inform PEM -in r12.pem -outform DER -out lets-encrypt-r12.cer
$ openssl x509 -inform PEM -in r13.pem -outform DER -out lets-encrypt-r13.cerSection 2: Conversion of PEM to CER commands
Note: Once the certificates are imported, you will need to restart the component, application, or bot for it to pick up the new certificates.
Checking certificate chain
There are a couple of ways you can obtain the full chain of your pod certificate.
Option 1:
Utilize an online URL by adding your Pod URL to run the validation:
https://www.sslshopper.com/ssl-checker.html#hostname
From the output these fields will be displayed:
- Common name
- Organization
- Location
- Valid from
- Serial Number
- Signature Algorithm
- Issuer
Option 2:
Through the Command Line Interface (CLI), the openssl command can be used to check the chain.
Note: This can even be put into a script and automated to check for the expiry upon your desired frequency.
$ openssl s_client -showcerts -connect <POD-URL>:443Note: Replace <POD-URL>, with your pod name, for example, acme.symphony.com.