Further Information Regarding Qvalent/Westpac Entrust SSL/TLS Certificate Change


Change Preparation

Oracle Java Application

Note: These instructions assume your application is running in a dedicated Java virtual machine. It is possible that your Java web server software may be in management of the SSL trust store for your application. If you use a web server software package (such as IBM Websphere or Oracle WebLogic), please consult the vendor documentation for further information.

Check your server's version of Java. The latest versions of Java have the new Entrust Root CA and no action is required on your part.

If you are unsure, upgrade to the latest updated version of Java.

If upgrading Java is not an option, and/or you wish to perform further validation, you can check that your server's version of Java has the new Root CA as follows.

This process assumes the trust store you are using is the default cacerts truststore for Java. These steps should be performed on the trust store used by your Java application if this is not used as the default trust store.

  1. Locate your JDK or JRE folder (whichever your application uses to run)
  2. For JDK, the trust file is located under JDK/jre/lib/security/cacerts and for JRE the trust file is located under JRE/lib/security/cacerts
  3. Open a command window and run the following command:

keytool -list -keystore <PATH_TO_CACERTS> -storepass changeit -alias entrustrootcag2

If a certificate is listed, no action is required from you for this particular application environment.

Otherwise, if the error 'Alias <entrustrootcag2> does not exis't is displayed, you need to install the new certificate as follows

  1. Run the following command: bin\keytool -import -keystore <PATH_TO_CACERTS> -storepass changeit -alias entrustrootcag2 -file <PATH_TO_ENTRUST_ROOT_CA_G2_FILE>
  2. Type yes and press Enter
  3. Run the following command to verify the certificate was successfully added

keytool -list -keystore <PATH_TO_CACERTS> -storepass changeit -alias entrustrootcag2

Note: For this change to come into effect, you may need to restart your application server and/or any middleware software.

You may need to consult your software developer or systems administrator to resolve this issue.

Microsoft .NET Application

You can check that Windows has installed the new Entrust Root CA correctly on your server as follows:

  1. Login to the server as an administrator.
  2. Click Start then Run and enter mmc and press Enter.
  3. Under the File menu, click Add/Remove Snap-in...
  4. Select Certificates then press Add.
  5. Select Computer account then press Next.
  6. Select Local computer then press Finish.
  7. Press OK.
  8. Under Console Root, expand Certificates (Local Computer), then Trusted Root Certification Authorities, then Certificates.
  9. Check for a certificate "Issued To" "Entrust Root Certification Authority - G2".

If the certificate is present, no action is required. If the CA certificate is not present, you must install it as follows:

  1. Download the Entrust Root CA certificate and save it to your server with a .cer file extension.
  2. In the MMC window, right-click the Certificates folder under Trusted Root Certification Authorities and select All Tasks -> Import...
  3. In the Certificate Import Wizard, press Next
  4. Enter the file name of the CA certificate you just downloaded and press Next.
  5. Press Next again.
  6. Press Finish.
  7. Using the check steps above, validate that the certificate is now listed under Trusted Root Certification Authorities

Note: For this change to come into effect, you may need to restart your application and the IIS service.


You may need to consult your software developer or systems administrator to resolve this issue.

Other Application Technologies

The steps you need to perform will vary dramatically depending on your underlying technology and/or operating system. If your underlying technology is Java or .NET, you can use the generic steps above.

Otherwise, you need to determine the appropriate steps to check that your system trusts Entrust's new Root CA. In order to do this, you may need to consult your software developer or systems administrator to resolve this issue.


Common Issues

My application is producing SSL/TLS errors post this change

If the error looks like the following samples for .NET or Java, this is an indication an application instance is reporting a certificate issuance validation error and is an indication the change was not successful.

Java:

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

.NET

System.Net.WebException: The underlying connection was closed: Could not establish trust

relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException:

The remote certificate is invalid according to the validation procedure.

Java - When using keytool to add the Root Certificate to my Java trust store, I get an error 'Input is not an X.509 certificate'

  • This error is generated when a browser produces a file which has improperly formatted the file. If there is any trailing whitespace, then keytool will refuse to import the file.
  • Check that there is no trailing whitespace on any of the lines and that the -----END CERTIFICATE----- line is on a line at the bottom.
  • Note that when this is added, a restart of the application may be required to pick up the change

.NET - I have installed the Root Certificate by logging into the server with my user and installing the certificate under my user account

  • It is possible the certificate has not been installed under the Local Computer trust store or the trust store used by the application
  • Please refer to our suggested instructions to install the Root Certificate under the Local Computer trust store
  • Note that when this is added, a restart of the application may be required to pick up the change

Frequently Asked Questions

Do I need to change the client certificate I use with your web services?

No. There are no changes to the client certificates used with our services as a part of this change.

I have already made changes to support TLSv1.2 in my application. Does this mean I am ready for this change?

No, Upgrading applications or systems to support TLSv1.2 is not an indication that an application or system is ready for this change.

How do I validate whether my application includes the required Entrust Root Certificate?

Please see the general change preparation information above for Java and .NET.

How do I perform this validation for my application when I don't use Java or .NET?

Qvalent cannot provide detailed instructions for all application technologies. Please consult your application development team and/or server team for instructions for your specific application and server environment.

We have provided general instructions for common Java and .NET applications above as a sample of the change.

Does this change affect other hosts?

No, this change only affects the mentioned hosts on the change document at this time.

Can I be granted an extension for this change?

No, extensions cannot be granted for this change. Due to the nature of this change, all customers must be prepared for this change simultaneously for this change to occur.


Disclaimer

These guidelines are general in nature and have been prepared without knowledge of the specific environment in which your systems operate. These guidelines are current at the time of writing but may require updates over time. Except where contrary to law, Westpac intends by this notice, to exclude liability for these guidelines and the information contained in them. While Westpac has made every effort to ensure these guidelines are free from error, Westpac does not warrant their accuracy, adequacy or completeness.