Introduction
In 2024, Google announced its plan to discontinue support for Entrust Certificate Authority (CA) in Google Services (such as Chrome, one of the most used Web Browsers) by October 2025 (Reference: Google Online Security Blog: Sustaining Digital Certificate Security - Entrust Certificate Distrust). Prior to this announcement, RSA used Entrust CA in the RSA Cloud Access Service (formerly known as the RSA Cloud Authentication Service), used by applications such as RSA Authentication Manager, RSA Authenticate app, RSA Authenticator app, RSA MFA Agents, and Admin SDK/REST API integrations with CAS. RSA is therefore moving to a new CA on week/c 6th October, which is already included in the latest versions of RSA Authentication Manager and RSA Authenticator app.
This will require RSA clients to make sure they have completed the actions listed below before week/c Monday 6th October 2025. Failure to complete these upgrades by that deadline will cause critical failures in authentication flows from the affected products.
Affected Products
- RSA MFA Agent for PAM, all versions connected to the Cloud Access Service
- RSA MFA Agent for Apache 9.0.0 and above, all versions connected to the Cloud Access Service
- Any third party integration using RSA Authentication API (REST API), connected to the Cloud Access Service
- Cloud Administration API clients
Unaffected Products
- Other RSA MFA Agents connected to the Cloud Access Service, which gets the new certificate directly from the OS certificate store
- Any RSA MFA Agents connected to RSA Authentication Manager
Required Action
- RSA MFA Agent for PAM: Install the certificate as detailed in Update DigiCert Certificates to Maintain Trust and Service Continuity in RSA MFA Agent for PAM.
- RSA MFA Agent for Apache: Install the certificate as detailed in Update DigiCert Certificates to Maintain Trust and Service Continuity in RSA MFA Agent for Apache.
- Any third party integration using RSA Authentication API (REST API): Add the DigiCert Global Root G2 certificate to your REST API client’s trust store from https://www.digicert.com/kb/digicert-root-certificates.htm.
- Customers with the Cloud Administration API clients must update their SIEM software or any custom client to have the DigiCert Global Root G2 certificate from https://www.digicert.com/kb/digicert-root-certificates.htm in their program’s trust store. Customers using either the Java rsa-securidaccess-rest-client-sdk or Python admin_api_cli CLU from any RSA Cloud Admin Rest API Download should make sure that their Java or Python certificate store includes the DigiCert Global Root G2 certificate from https://www.digicert.com/kb/digicert-root-certificates.htm.
Related Articles
RSA Authentication Manager 8.8 upgrade fails with ERROR: auth_manager.rest_service.old_access_key is not found Number of Views RSA Release Notes: Cloud Access Service and RSA Authenticators Number of Views Troubleshooting RSA SecurID Access Identity Router to RSA Authentication Manager test connection failures Number of Views RSA Release Notes for RSA Authentication Manager 8.8 Number of Views The License/serial number being installed does not match the license/serial number stored on the server when installing an… Number of Views
Trending Articles
RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide RSA Authentication Manager 8.9 Release Notes (January 2026) How to install the jTDS JDBC driver on WildFly for use with Data Collections in RSA Identity Governance & Lifecycle RSA Authentication Manager 8.8 Setup and Configuration Guide Artifacts to gather in RSA Identity Governance & Lifecycle
