What’s happening
The TLS/SSL certificate protecting the Cleo Integration Cloud (CIC) domains periodically expires, as do all TLS/SSL certificates. To avoid any interruption in service, the current certificate will be replaced with an updated certificate.
Scheduled certificate update: Monday, June 16, 2025
Current certificate expiration: Monday, June 30, 2025 at 18:59:59 CDT (23:59:59 GMT)
What do I need to do?
In most cases, no action is required on your part, or on the part of your trading partners.
If required, you can update your root certificates. To avoid potential connection errors, please verify your root certificate configuration in all systems needing to connect to CIC prior to Monday, June 16, 2025.
Background on certificates
Certificates are signed through a hierarchy of digital certificates anchored by a set of trusted root certificates that are trusted by default with many operating systems and application platforms. For example,
- The Trusted Root Certificates for Microsoft platforms are documented at: https://docs.microsoft.com/en-us/security/trusted-root/participants-list
- The Trusted Root Certificates for Google platforms (including Chrome) are documented at: https://g.co/chrome/root-policy
- The Trusted Root Certificates for Apple platforms are documented at: https://support.apple.com/en-us/HT213080
- Trusted Root Certificates were added to OpenJDK as documented here: https://openjdk.java.net/jeps/319
Cleo Integration Cloud (CIC) certificate details
The new CIC certificate is issued by AAA Certificate Services, operated by Sectigo. The AAA Certificate Services root is trusted by all four root certificate programs listed above, and Sectigo participates in the Common CA Database https://www.ccadb.org/.
The CIC certificate is used as part of the SSL/TLS validation process for all protocols using TLS. This includes:
- Browser access to https://cleointegration.cloud, https://subdomain.cleointegration.cloud, https://integrationplatform.io, or https://subdomain.integrationplatform.io.
- Access to any of the above domains for HTTPs API (REST or SOAP), FTPs, AS2, or OFTP/2.
- Note that SSH (sftp) connections do not use SSH/TLS and are not affected by the certificate update.
- Note that certificates used for payload signing and encryption when using business protocols such as AS2 and OFTP/2 are not affected by this change, but like all X.509 certificates they do expire and require periodic maintenance.
Optional actions
Download the AAA Certificate Services
If you are not sure if certificates issued by Sectigo (Comodo) under AAA Certificate Services are trusted by your software, you can
- Download the AAA Certificate Services root here
- Install it into your software
You can identify the AAA Certificate Services root CA certificate by:
- Name (Subject): AAA Certificate Services
- Fingerprint (SHA 1): D1:EB:23:A4:6D:17:D6:8F:D9:25:64:C2:F1:F1:60:17:64:D8:E3:49
- Fingerprint (SHA 256): D7A7A0FB5D7E2731D771E9484EBCDEF71D5F0C3E0A2948782BC83EE0EA699EF4
Need help?
If you have any questions, want more information, or need help with the update, please reach out to certificate_exchange@cleo.com to get in direct contact with Cleo’s team.
Thank you,
Your Cleo Team
Comments
0 comments
Please sign in to leave a comment.