RSA MFA Agent for PAM version 8.0.0 and later
In 2024, Google announced its plan to discontinue support for Entrust Certificate Authority (CA) in Google Services, such as Chrome, one of the most widely used web browsers, by October 2025. (Reference: Google Online Security Blog: Sustaining Digital Certificate Security - Entrust Certificate Distrust).
Prior to this announcement, RSA used Entrust CA in the RSA Cloud Access Service (formerly known as the RSA Cloud Authentication Service) and applications including RSA Authentication Manager, RSA Authenticate app, RSA Authenticator app, and RSA MFA Agent. RSA is moving to a new CA, DigiCert, which is already included in the latest versions of RSA Authentication Manager, RSA Authenticator app, and RSA MFA Agents.
Google will discontinue support for Entrust CA in Google services by October 2025.
To maintain trust and service continuity in RSA MFA Agent for PAM, DigiCert root and intermediate certificates must be added to the truststore used by RSA MFA Agent for PAM before week commencing Monday, October 6, 2025.
Note: No action is required for products connected to RSA Authentication Manager or RSA Authentication Manager Hybrid.
Obtain the updated certificate
- The updated certificate file, cert.pem, is included in the zip file available for download here.
- The file contains both Entrust and DigiCert certificates.
- Place this file under the default path:
/var/ace/
Configure the certificate
- Open the MFA configuration file located at: /var/ace/mfa_api.properties
- Locate the configuration parameter CA_CERT_FILE_PATH.
- The default location of the certificate file is: /var/ace/cert.pem
For example: CA_CERT_FILE_PATH=/var/ace/cert.pem - Edit the CA_CERT_FILE_PATH configuration parameter to specify this file path: CA_CERT_FILE_PATH=/var/ace/cert.pem
- Copy the cert.pem file to the /var/ace/ directory.
- Ensure the CA_CERT_FILE_PATH parameter is set correctly to points the cert.pem file.
No workaround is available. Complete the certificate update before October 6, 2025, to avoid service disruption.
- The update adds DigiCert certificates alongside Entrust certificates to ensure a seamless transition.
- This change affects only RSA MFA Agent for PAM 8.0.0 and later.
- Products connected to RSA Authentication Manager or Hybrid do not require this update.
Related Articles
Update DigiCert Certificates to Maintain Trust and Service Continuity in RSA MFA Agent for Apache Number of Views RSA Authenticator 4.6 for iOS and Android Quick Start Guide (Korean) Number of Views DSA-2020-134: RSA Identity Governance and Lifecycle Security Update for Intel Platform Vulnerabilities Number of Views RSA SecurID Authenticator 4.2 for iOS and Android Administrator Guide Number of Views SecurID Authenticator 5.0 for macOS Administrator's Guide Number of Views
Trending Articles
RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide RSA Authentication Manager 8.9 Release Notes (January 2026) How to install the jTDS JDBC driver on WildFly for use with Data Collections in RSA Identity Governance & Lifecycle RSA Authentication Manager 8.8 Setup and Configuration Guide Artifacts to gather in RSA Identity Governance & Lifecycle
