Introduction 

In 2024, Google announced its plan to discontinue support for Entrust Certificate Authority (CA) in Google Services (such as Chrome, one of the most used Web Browsers) by October 2025 (Reference: Google Online Security Blog: Sustaining Digital Certificate Security - Entrust Certificate Distrust). 
 
Prior to this announcement, RSA used Entrust CA in RSA Cloud Access Service (formerly known as RSA Cloud Authentication Service), and in applications such as RSA Authentication Manager, RSA Authenticate app, RSA Authenticator app, and RSA Prime.
 
As a result, RSA is therefore moving to a new CA in the week commencing October 06, 2025, which is already included in the latest versions of RSA Authentication Manager and RSA Authenticator app.     

     
Affected Products 

• All PrimeKit versions supporting hybrid use cases connected to RSA Cloud Access Service.
• Other RSA products affected by the same issue are covered under different advisories.

 Required Actions

•  To maintain trust and service continuity in RSA Prime, DigiCert root and intermediate certificates must be added to the Java truststore used by Prime before  Monday, October 06, 2025.
•  Two methods are available for installing the certificates; choose only one approach:
  • An automated approach using the provided scripts (recommended).
  • A manual step-by-step procedure for environments where scripting is not feasible.

What does the Script do?

• Validates if DigiCertCA2025 and DigiCertRA2025 already exist in the truststore.
• Prompts for the truststore password.
• Generates and writes the embedded DigiCert Root and Intermediate certificate files.
• Imports both certificates into truststore.jks
• Outputs success or failure for each certificate import.

First Option (recommended) - Script Instructions

1. Download the attached script based on the host OS type: 
   a. Linux: update_digicert_truststore.sh
   b. Windows: update_digicert_truststore.ps1
   c. Upload the downloaded script to <Prime_Home>/scripts/tools
2. For Linux systems:
   1. Navigate to <Prime_Home>/scripts/tools directory

      cd /<Prime_Home>/scripts/tools

   2. Reset the Permissions

      ./3_reset_perms.sh

   3. Execute the script

      ./linux_update_digicert_truststore.sh

   4. Restart AMIS service:

      cd ..
      ./amis_shutdown.sh
      ./amis_startup.sh

3. For Windows systems:
   1. Run PowerShell as an administrator
   2. Navigate to [Prime_Home}\scripts\tools

      [Prime_Home}\scripts\tools

   3.  Execute the script

      ./windows_update_digicert_truststore.ps1

   4. Restart RSA AMIS (Tomcat) from the Windows Services
          

Second Option - Manual Instructions

1. Obtain DigiCert's root and intermediate CA certificates
2. Upload the ceritificates to <Prime_Home>/certificates
   1. Note: Make sure that the certificate name is as follows:
      1. Root Certificate: DigiCertRootCA.crt
      2. Intermediate Certificate:  DigiCertIntermediateCA.crt
3. Import the certificates using keytool:
   1. Change to <Prime_Home>/certificate
   2. Execute the following command to import the DigiCert root certificate

      For Linux:

      ../java/latest/bin/keytool -importcert -alias digicertroot -keystore truststore.jks -file DigiCertRootCA.crt

      For Windows:

      ..\java\latest\bin\keytool.exe -importcert -alias digicertroot -keystore truststore.jks -file DigiCertRootCA.crt

   3. Execute the following command to import the DigiCert intermediate certificate

      For Linux:

      ../java/latest/bin/keytool -importcert -alias digicertintermediate -keystore truststore.jks -file DigiCertIntermediateCA.crt

      For Windows:

      ..\java\latest\bin\keytool.exe -importcert -alias digicertintermediate -keystore truststore.jks -file DigiCertIntermediateCA.crt
      

   4. You will be prompted to provide the truststore password
4. Restart the AMIS service.
   1. For Linux systems: 

      cd ..
      ./amis_shutdown.sh
      ./amis_startup.sh

   2. Restart RSA AMIS (Tomcat) from the Windows Services
      
      

If you need any help, contact the RSA Support Team.