Cleo Integration Cloud Certificate update on May 11, 2022

WE'RE UPDATING THE CIC CERTIFICATE ON WEDNESDAY, MAY 11, 2022.

What's happening

The TLS/SSL certificate protecting the Cleo Integration Cloud (CIC) domains periodically expires, as do all TLS/SSL certificates. To avoid any interruption in service, the current certificate will be replaced with an updated certificate. 

Scheduled certificate update: Between Wednesday, May 11 and Friday, May 13, 2022 
Current certificate expiration: Thursday, May 26th, 2022 at 6:59:59 pm CT (23:59:59 GMT) 

What do you need to do?

In most cases, no action is required on your part, or on the part of your trading partners.  

If required, you can update your root certificates. To avoid potential connection errors, please verify your root certificate configuration in all systems needing to connect to CIC prior to Wednesday, May 11th, 2022.  

Background on certificates

Certificates are signed through a hierarchy of digital certificates anchored by a set of trusted root certificates that are trusted by default with many operating systems and application platforms. For example,  

 - The Trusted Root Certificates for Microsoft platforms are documented at: https://docs.microsoft.com/en-us/security/trusted-root/participants-list 

 - The Trusted Root Certificates for Google platforms (including Chrome) are documented at: https://g.co/chrome/root-policy

 - The Trusted Root Certificates for Apple platforms are documented at: https://support.apple.com/en-us/HT213080

 - Trusted Root Certificates were added to OpenJDK as documented here: https://openjdk.java.net/jeps/319

Cleo Integration Cloud (CIC) certificate details

The new CIC certificate is issued by AAA Certificate Services, operated by Sectigo. The AAA Certificate Services root is trusted by all four root certificate programs listed above, and Sectigo participates in the Common CA Database (https://www.ccadb.org/). 

The CIC certificate is used as part of the SSL/TLS validation process for all protocols using TLS. This includes: 

 - Browser access to https://cleointegration.cloud, https://subdomain.cleointegration.cloud, https://integrationplatform.io, or https://subdomain.integrationplatform.io. 

 - Access to any of the above domains for HTTPs API (REST or SOAP), FTPs, AS2, or OFTP/2. 

 - Note that SSH (sftp) connections do not use SSL/TLS and are not affected by the certificate update. 

 - Note that certificates used for payload signing and encryption when using business protocols such as AS2 and OFTP/2 are not affected by this change, but like all X.509 certificates they do expire and require periodic maintenance

Optional actions

Download the AAA Certificate Services 

If you are not sure if certificates issued by Sectigo (Comodo) under AAA Certificate Services are trusted by your software, you can  

1. Download the AAA Certificate Services root here  

2. Install it into your software  

You can identify the AAA Certificate Services root CA certificate by: 

 - Name (Subject): AAA Certificate Services

 - Fingerprint (SHA 1): D1:EB:23:A4:6D:17:D6:8F:D9:25:64:C2:F1:F1:60:17:64:D8:E3:49 

 - Fingerprint (SHA 256): D7A7A0FB5D7E2731D771E9484EBCDEF71D5F0C3E0A2948782BC83EE0EA699EF4 

Directly manage the CIC Certificate (Not recommended) 

If you choose to directly manage the CIC Certificate, you can download it from:  

https://cleo-certs.s3.amazonaws.com/873964850repl_1.crt

Need help?

If you have any questions, want more information, or need help with the update, please reach out to certificate_exchange@cleo.com to get in direct contact with Cleo’s team.