RSA MFA Agent for PAM version 8.0.0 and later
In 2024, Google announced its plan to discontinue support for Entrust Certificate Authority (CA) in Google Services, such as Chrome, one of the most widely used web browsers, by October 2025. (Reference: Google Online Security Blog: Sustaining Digital Certificate Security - Entrust Certificate Distrust).
Prior to this announcement, RSA used Entrust CA in the RSA Cloud Access Service (formerly known as the RSA Cloud Authentication Service) and applications including RSA Authentication Manager, RSA Authenticate app, RSA Authenticator app, and RSA MFA Agent. RSA is moving to a new CA, DigiCert, which is already included in the latest versions of RSA Authentication Manager, RSA Authenticator app, and RSA MFA Agents.
Google will discontinue support for Entrust CA in Google services by October 2025.
To maintain trust and service continuity in RSA MFA Agent for PAM, DigiCert root and intermediate certificates must be added to the truststore used by RSA MFA Agent for PAM before week commencing Monday, October 6, 2025.
Note: No action is required for products connected to RSA Authentication Manager or RSA Authentication Manager Hybrid.
Obtain the updated certificate
- The updated certificate file, cert.pem, is included in the zip file available for download here.
- The file contains both Entrust and DigiCert certificates.
- Place this file under the default path:
/var/ace/
Configure the certificate
- Open the MFA configuration file located at: /var/ace/mfa_api.properties
- Locate the configuration parameter CA_CERT_FILE_PATH.
- The default location of the certificate file is: /var/ace/cert.pem
For example: CA_CERT_FILE_PATH=/var/ace/cert.pem - Edit the CA_CERT_FILE_PATH configuration parameter to specify this file path: CA_CERT_FILE_PATH=/var/ace/cert.pem
- Copy the cert.pem file to the /var/ace/ directory.
- Ensure the CA_CERT_FILE_PATH parameter is set correctly to points the cert.pem file.
No workaround is available. Complete the certificate update before October 6, 2025, to avoid service disruption.
- The update adds DigiCert certificates alongside Entrust certificates to ensure a seamless transition.
- This change affects only RSA MFA Agent for PAM 8.0.0 and later.
- Products connected to RSA Authentication Manager or Hybrid do not require this update.
Related Articles
Update DigiCert Certificates to Maintain Trust and Service Continuity in RSA MFA Agent for Apache Number of Views RSA Announces End of Primary Support for RSA Authentication Manager 8.2 Service Pack 1 and a Direct Upgrade to Version 8.5 Number of Views Mandatory Migration/Upgrade Required for RSA Authentication Manager/RSA Authenticate App for iOS and Android/RSA Authentic… Number of Views How to Update the Root (Server) and Client Certificates in RSA Identity Governance & Lifecycle Number of Views CyberArk and RSA Authentication Manager integration is unable to perform password change for RSA Security Console user ID Number of Views
Trending Articles
RSA Authentication Manager Upgrade Process RSA Release Notes for RSA Authentication Manager 8.8 RSA RADIUS Server service failed to start in the RSA Authentication Manager 8.1 Operations Console Microsoft Entra ID External MFA - Relying Party Configuration Using OIDC - RSA Ready Implementation Guide RSA Release Notes: Cloud Access Service and RSA Authenticators
