Action Required: Losant’s Root Certificate is Changing

Brandon Cannaday
Brandon Cannaday | 3 minute read

On August 1st, 2024, Losant is updating its root certificate. This update is required because the current root certificate will no longer be trusted by Mozilla’s CA Certificate Program after April 15th, 2025. More details can be found in DigiCert’s knowledge base.

Previous root certificate: DigiCert Global Root CA
Updated root certificate: DigiCert Global Root G2

Does this impact me?

This update impacts devices that explicitly use the root certificate to verify TLS connections to the Losant platform. The following list contains the most common examples:

  • The device’s firmware has the root certificate compiled directly into the binary. For example, the ESP32 IDF’s built-in MQTT client requires the root certificate to be included in the binary that’s flashed to the device.
  • The device is programmed with a specific root certificate to verify the MQTT connection. For example, the Paho Python MQTT client supports providing a root certificate through the tls_set function. If you’re using Losant’s Python MQTT client, you must update to v1.21.1 or newer. Many other MQTT clients support a similar configuration option.
  • The device is using a custom Linux image (e.g. Yocto) with a modified certificate store. The DigiCert Global Root G2 certificate has been included in all major Linux distributions since 2015, however custom images may have removed it.
  • The device has off-the-shelf vendor software installed with configuration options to provide a specific root certificate for TLS verification.

If your devices use root certificates to verify TLS connections and your devices do not contain the updated certificate, they will be unable to connect to the Losant platform after August 1st. Since TLS verification is performed by the device, it is not possible for Losant to determine which devices are impacted.

All versions of Losant’s Gateway Edge Agent (GEA) support the DigiCert Global Root G2 certificate. No GEA customers are impacted by this update.

What do I have to do?

Impacted devices must be updated to support the DigiCert Global Root G2 certificate before August 1st, 2024. You can download the root certificate files from Losan’t MQTT documentation.

Your devices should support both the previous and updated root certificates to ensure a seamless transition. How root certificates are installed is specific to each device and OS. If your firmware requires a certificate file stored somewhere on disk, you can often combine both root certificates into a single file. You can see an example of this in Losant’s Python MQTT Client.

If you’re using the operating system to validate TLS connections, you’ll need to ensure your OS has the DigiCert Global Root G2 certificate installed. Most Linux distributions (e.g. Raspian and Ubuntu) have supported this root certificate since 2015. This certificate is also already included in all versions of Windows after Windows XP SP3. If you’re using a custom build of Linux (e.g. Yocto), you may be required to update your image. Refer to your operating system’s instructions for installing root certificates.

You can test connections against the DigiCert Global Root G2 certificate using the DigiCert Global Root G2 demo site. For example, to verify that Linux has the DigiCert Global Root G2 certificate installed, you can run one of the following commands:

curl https://global-root-g2.chain-demos.digicert.com/

wget https://global-root-g2.chain-demos.digicert.com/

If you do not receive a certificate warning or error, your Linux OS can successfully establish TLS connections using the DigiCert Global Root G2 certificate.

What is a root certificate?

A root certificate is a public file that identifies the certificate authority that issued a TLS certificate. Root certificates are often used to verify the authenticity of a TLS-encrypted connection. When a client receives certificate information from a server, the client can verify that the certificate is valid by checking it against a known root certificate stored locally.

When is the next root certificate update?

The DigiCert Global Root G2 root certificate will be trusted by Mozilla until April 15th, 2029. This means the next root certificate update will occur in approximately 4 years.

If you have questions about this update, please let us know on the Losant forums.