Verify Needed Root Certificates Setup in Datawire
UnixAPI
Purpose
This document illustrates the steps to substitute for the existing root CA certificates file in Datawire UnixAPI’s
environment, whose proper setup allows Datawire UnixAPI to function properly in the event of Datawire servers’
certificate upgrade to 2048-bit in 2014.
What the needed VeriSign Root CA certificates are
All the following CA root certificates are needed to ensure Datawire UnixAPI working reliably:
VeriSign Class 3 Public Primary CA
Class 3 Public Primary Certification Authority (VeriSign Class 3 Public Primary CA)
Version = 1
Country = US
Organization = VeriSign, Inc.
Organization Unit = Class 3 Public Primary Certification Authority
Serial Number: 3c 91 31 cb 1f f6 d0 1b 0e 9a b8 d0 44 bf 12 be
Valid From: Sunday, January 28, 1996 4:00:00 PM
Valid to: Wednesday, August 02, 2028 3:59:59 PM
Certificate SHA1 Thumbprint: a1 db 63 93 91 6f 17 e4 18 55 09 40 04 15 c7 02 40 b0 ae 6b
Key Size: RSA(1024 Bits)
Signature Algorithm: sha1RSA
File name in Root package: Class 3 Public Primary Certification Authority
VeriSign Class 3 Primary CA – G5
VeriSign Class 3 Public Primary Certification Authority - G5
Version = 3
Country = US
Organization = VeriSign, Inc.
Organizational Unit = VeriSign Trust Network
Organizational Unit = (c) 2006 VeriSign, Inc. - For authorized use only
Common Name = VeriSign Class 3 Public Primary Certification Authority - G5
Serial Number: 18 da d1 9e 26 7d e8 bb 4a 21 58 cd cc 6b 3b 4a
Operational Period: Tue, November 07, 2006 to Wed, July 16, 2036
Certificate SHA1 Fingerprint: 4e b6 d5 78 49 9b 1c cf 5f 58 1e ad 56 be 3d 9b 67 44 a5 e5
Key Size: RSA(2048Bits)
Signature Algorithm: sha1RSA
File name in Root package: VeriSign Class 3 Public Primary Certification Authority - G5
The VeriSign certificates can be downloaded from verisign.com.
© 2010 First Data Corporation. All Rights Reserved. All trademarks, service marks and trade names referenced in this material are the property of their respective owners.
To download the VeriSign Root CAs:
1. Go to http://www.verisign.com/support/roots.html and click on the link 'Download a root package for VeriSign
Certificates (roots.zip file)
2. Download the file
3. Locate the folder where the .zip file was saved
4. Extract the .zip file and locate the 'Serial Numbers.txt' file – This will be used to locate the correct folder for each
VeriSign Root CA
5. Go to the folder where the Root CA is located
What the needed Equifax Root CA certificate is
EquiFax Secure Certificate Authority
Version: 3
Organization: Equifax
Country: US
Serial Number: 35:DE:F4:CF
Validity Period: Sat Aug 22, 1998 to Wed Aug 22, 2018 (GMT)
Certificate Fingerprint (MD5): 67:CB:9D:C0:13:24:8A:82:9B:B2:17:1E:D1:1B:EC:D4
Certificate Fingerprint (SHA-1): D2:32:09:AD:23:D3:14:23:21:74:E4:0D:7F:9D:62:13:97:86:63:3A
Key Length: 1024
This certificate could be downloaded from geotrust.com.
(http://www.geotrust.com/resources/root_certificates/certificates/Equifax_Secure_Certificate_Authority.pem)
© 2010 First Data Corporation. All Rights Reserved. All trademarks, service marks and trade names referenced in this material are the property of their respective owners.
To download the Equifax Root CA:
1. Go to http://www.geotrust.com/resources/root-certificates/ and look for “Root 1 – Equifax Secure Certificate
Authority” (exp 8/22/2018).
2. Download the file
3. Go to the folder where the certificate was saved.
Steps to Verify
1. Get the location of the trusted root CA certificates file set up for Datawire Unix-API by application.
When DW Unix-API is initiated in an application integrating with this API, there’s an invocation of DW Unix-API
interface function “VxnSetCA”. Check out the parameter passed to this function, which is the file path pointing to
the trusted root CA certificates file that should be checked. Most applications have this as part of their
configuration, so checking their configuration is an alternate (perhaps quicker) way.
2. Suppose the CA file identified in step 1 is at “/location/to/CAfile”, then simply replace the content of that file with the
concatenated contents of the three needed root CA certificates (mentioned in the above section “What the needed CA
certificate are”).
3. Alternative to the above manual “download and concatenate” process, the existing CAfile could be substituted for the
attached file “DWAPI_CAs.pem”. The process is as:
--Verify the md5sum and sha1sum of the attached file “DWAPI_CAs.pem”, they should be:
© 2010 First Data Corporation. All Rights Reserved. All trademarks, service marks and trade names referenced in this material are the property of their respective owners.
MD5SUM:
bc79055785c509956beab60ed1af1d4e DWAPI_CAs.pem
SHA1SUM:
8f678ca5d745dc6ab29025749c0fc6e1e1b5c12a DWAPI_CAs.pem
--Overwrite /location/to/CAfile with DWAPI_CAs.pem: copy the attached DWAPI_CAs.pem to the destination file
“/location/to/CAfile”.
[End]
© 2010 First Data Corporation. All Rights Reserved. All trademarks, service marks and trade names referenced in this material are the property of their respective owners.