On December 5th, 2024, Losant is updating its root certificate. This update is required because the current root certificate will no longer be trusted by Mozilla’s CA Certificate Program. More details can be found in DigiCert’s knowledge base.
Previous root certificate: DigiCert Global Root CA
Updated root certificate: DigiCert Global Root G2
Does this impact me?
This update impacts devices that explicitly use the root certificate to verify TLS connections to the Losant platform. The following list contains the most common examples:
- The device’s firmware has the root certificate compiled directly into the binary. For example, the ESP32 IDF’s built-in MQTT client requires the root certificate to be included in the binary that’s flashed to the device.
- The device is programmed with a specific root certificate to verify the MQTT connection. For example, the Paho Python MQTT client supports providing a root certificate through the tls_set function. If you’re using Losant’s Python MQTT client, you must update to v1.21.1 or newer. Many other MQTT clients support a similar configuration option.
- The device is using a custom Linux image (e.g. Yocto) with a modified certificate store. The DigiCert Global Root G2 certificate has been included in all major Linux distributions since 2015, however custom images may have removed it.
- The device has off-the-shelf vendor software installed with configuration options to provide a specific root certificate for TLS verification.
If your devices use root certificates to verify TLS connections and your devices do not contain the updated certificate, they will be unable to connect to the Losant platform after December 5th. Since TLS verification is performed by the device, it is not possible for Losant to determine which devices are impacted.
All versions of Losant’s Gateway Edge Agent (GEA) support the DigiCert Global Root G2 certificate. No GEA customers are impacted by this update.
What do I have to do?
Impacted devices must be updated to support the DigiCert Global Root G2 certificate before December 5th, 2024. You can download the root certificate files from Losant's MQTT documentation.
Your devices should support both the previous and updated root certificates to ensure a seamless transition. How root certificates are installed is specific to each device and OS. If your firmware requires a certificate file stored somewhere on disk, you can often combine both root certificates into a single file. You can see an example of this in Losant’s Python MQTT Client.
If you’re using the operating system to validate TLS connections, you’ll need to ensure your OS has the DigiCert Global Root G2 certificate installed. Most Linux distributions (e.g. Raspian and Ubuntu) have supported this root certificate since 2015. This certificate is also already included in all versions of Windows after Windows XP SP3. If you’re using a custom build of Linux (e.g. Yocto), you may be required to update your image. Refer to your operating system’s instructions for installing root certificates.
How do I test with the updated root certificate?
To test HTTPS connections, you can use the DigiCert Global Root G2 demo site. For example, to verify that your Linux distribution has the DigiCert Global Root G2 certificate installed, you can run one of the following commands:
curl https://global-root-g2.chain-demos.digicert.com/
wget https://global-root-g2.chain-demos.digicert.com/
If you do not receive a certificate warning or error, your Linux OS can successfully establish TLS connections using the DigiCert Global Root G2 certificate.
To test MQTTS connections, Losant has provided a temporary endpoint that uses the updated certificate:
Host: broker-g2root.losant.com
Port: 8883
This endpoint connects to the same MQTT broker that's located at broker.losant.com. It accepts the same device IDs, access keys, and access secrets. The only difference is that this test endpoint uses an updated TLS certificate signed by the DigiCert Global Root G2 certificate. This endpoint only accepts TLS connections over port 8883. If you attempt to form an insecure connection over port 1883, the connection will fail.
IMPORTANT: the test endpoint is temporary and will be removed when the new certificate goes live. Once your device has been updated to verify against both the current and updated root certificates, you must ensure the broker URL is set to broker.losant.com.
What is a root certificate?
A root certificate is a public file that identifies the certificate authority that issued a TLS certificate. Root certificates are often used to verify the authenticity of a TLS-encrypted connection. When a client receives certificate information from a server, the client can verify that the certificate is valid by checking it against a known root certificate stored locally.
When is the next root certificate update?
The DigiCert Global Root G2 root certificate will be trusted by Mozilla until April 15th, 2029. This means the next root certificate update will occur in approximately 4 years.
If you have questions about this update, please let us know on the Losant forums.