This advisory reiterates the information communicated earlier in May 2025, July 2025, and August 2025.  

Introduction

Google decision to distrust Entrust CA is forcing RSA CAS to move to DigiCert Global CA, from week commencing 6th October. Multiple components deployed by clients and connected with RSA CAS must be upgraded/updated to the new CA prior to 6th October.

Detailed Impact

Failure to complete the actions listed below by the defined deadline will result in the following possible disruptions:

• Custom client integrations not upgraded to the right CA will impact AM/CAS connection, resulting normally in AM operating in High Availability Mode, i.e. the only authentication method available to users will then be OTP Authentication.
• Users of ‘non-compliant’ version of Mobile Authenticators will be limited to OTP Authentication only, all other authentication methods will fail
• Users of ‘non-compliant’ version of AM connected to CAS will see the connection between AM and CAS severed, resulting normally in AM operating in High Availability Mode, i.e. the only authentication method available to users will then be OTP Authentication.
• Users of ‘non-compliant’ PRIME service will no longer be able to use PRIME to interact with CAS.
• Users of ‘non-compliant’ agents listed below and connected to CAS will no longer be able to authenticate, even with OTP Authentication.

Affected Products

• Custom Client Integrations connected to RSA CAS.
• RSA Authentication Manager, all versions supporting hybrid use cases connected to RSA CAS
• Authentication Managers not connected to RSA CAS are not impacted, but it is always a good practice for organizations to upgrade to the latest version of Authentication Manager to benefit from new features and security updates.
• RSA Authenticate app for iOS and Android, all versions ( )
• RSA Authenticator app for iOS and Android, all versions prior to V4.5 ( ), when authenticating with cloud-based (RSA CAS) credentials
• Users authenticating only with on-premises (Authentication Manager) based credentials are not impacted, but it is always a good practice for users to upgrade to the latest version of authentication applications to benefit from new features, security updates, and the latest OS qualifications.
• RSA MFA Agent for PAM, RSA MFA Agent for Apache, and Third-Party Integration using RSA REST API, when connected to RSA CAS
• RSA Prime, when connected to RSA CAS

Other RSA products are not affected.

Required Actions

To be completed before week commencing Monday 6th October 2025:

• Custom Client Integrations connected to RSA CAS 

The new certificates used by RSA are issued by DigiCert Global CA, and most modern systems already trust them by default. 
 If you use custom configurations, please review the following areas to avoid any connectivity issues: 

• Admin API integrations 
• OIDC and SAML applications not accessed via standard web browsers (e.g., apps with embedded browsers or custom HTTPS handling) 
• SCIM clients 
• Web proxies, firewalls, or load balancers performing SSL/TLS inspection or using a custom trust store 

Action Required (if applicable) 

• Custom Trust Stores 
• If you use pinned certificates or maintain your own CA bundles, confirm that the DigiCert Global Root and Intermediate certificates are included. 
• Application & API Integrations

• Validate that your Admin API, SCIM clients, and OIDC/SAML apps connect successfully without certificate errors. 
• For applications with embedded browsers or custom HTTPS handling, ensure they can establish secure TLS connections.
• Proxy/Firewall Configurations 
• If SSL inspection or TLS termination is enabled, update your proxies, WAFs, or load balancers to trust the new DigiCert Global CA certificates. 

• RSA Authentication Manager used with RSA CAS in Hybrid/High Availability Mode

• RSA Authentication Manager 8.8: No action required. AM 8.8, which was released in April 2025, includes the required new certificates.
• RSA Authentication Manager 8.7 SP2: Install AM 8.7 SP2 Patch 6, which includes the required new certificates.
• RSA Authentication Manager 8.7 SP1: Install AM 8.7 SP1 Patch 3 Hotfix 2. For more details, see Authentication Manager 8.7 SP1 Patch 3 Hotfix 2 Read Me.
• RSA Authentication Manager 8.7: Install AM 8.7 Patch 4 Hotfix 2. For more details, see Authentication Manager 8.7 Patch 4 Hotfix 2 Read Me.
• RSA Authentication Manager 8.6: Install AM 8.6 Patch 4 Hotfix 2. For more details, see Authentication Manager 8.6 Patch 4 Hotfix 2 Read Me.
  
  Customers using an older/no longer supported version of Authentication Manager in Hybrid/High Availability Mode with Cloud Access Service must upgrade to any of the supported versions listed above.

• RSA Authenticate app for iOS and Android (legacy app using the following icon  , no longer supported since March 2024)
  All RSA Authenticate app for iOS and Android users must migrate to the latest RSA Authenticator app for iOS and Android. For further information, refer to the following advisory, published on March 27, 2025: Time is Running Out – Users Must Migrate from the Legacy RSA Authenticate App to the Supported RSA Authenticator App by October 2025.
  
  
• RSA Authenticator app for iOS and Android versions earlier than 4.5
  RSA Authenticator app for iOS and Android, prior to V4.5, and authenticating with RSA CAS must be upgraded to at least RSA Authenticator app V4.5 (current released version is V4.6). On upgrade, all credentials will be migrated seamlessly. Starting from the May 2025 RSA Cloud Access Service release, every time a user authenticates with RSA CAS to access a web-based resource using the RSA Authenticator app for iOS and Android with a version earlier than 4.5, he is presented with the following prompt.
  
  Note: The prompt will appear when a user looks to authenticate with a web-based resource protected by CAS, such as Salesforce. It will not appear when a user looks to authenticate with an RSA Agent, such as the RSA MFA Agent for Windows or RSA Agent for macOS. Users authenticating only with RSA Agents will have to be reminded separately by their organizations of the need to upgrade.

• RSA MFA Agent for PAM, RSA MFA Agent for Apache, and Third Party Integration using RSA REST API, When Connected to RSA CAS
• RSA MFA Agent for PAM: Install the certificate as detailed in Update DigiCert Certificates to Maintain Trust and Service Continuity in RSA MFA Agent for PAM.
• RSA MFA Agent for Apache: Install the certificate as detailed in Update DigiCert Certificates to Maintain Trust and Service Continuity in RSA MFA Agent for Apache.
• Any third party integration using RSA Authentication API (REST API): Add the DigiCert Global Root G2 certificate to your REST API client’s trust store from https://www.digicert.com/kb/digicert-root-certificates.htm.
• Customers with the Cloud Administration API clients must update their SIEM software or any custom client to have the DigiCert Global Root G2 certificate from https://www.digicert.com/kb/digicert-root-certificates.htm in their program’s trust store.  Customers using either the Java rsa-securidaccess-rest-client-sdk or Python admin_api_cli CLU from any RSA Cloud Admin Rest API Download should make sure that their Java or Python certificate store includes the DigiCert Global Root G2 certificate from https://www.digicert.com/kb/digicert-root-certificates.htm.

• RSA Prime when connected to RSA CAS
• See related advisory: RSA Prime, when connected to RSA CAS