RSA Product Set: RSA ID Plus
RSA Product/Service Type: RSA Cloud Access Service (formerly known as Cloud Authentication Service)
An integration with the RSA ID Plus Cloud Access Service (CAS) no longer works following the move from Entrust certificates to DigiCert certificates on the CAS scheduled for the week of October 6, 2025 explained in the following advisory: https://community.rsa.com/s/article/REMINDER-6-WEEKS-LEFT-to-complete-upgrade-when-using-RSA-CAS
Integrations can be categorized into 3 "types" based on purpose:
- Authentication: Prompts end users to authenticate for access to a resource. Examples: CAS (Web Access), RSA Authentication Manager connected to CAS, RSA Prime connected to CAS, MFA Agent, or 3rd-party client using the RSA Authentication REST API.
- Administration: Used for administrative functions, such as for making API calls to the CAS to gather logs or edit a user account. Examples: RSA Authentication Manager connected to CAS, RSA Prime connected to CAS, or 3rd-party client using the RSA Cloud Administration APIs.
- Authentication and Administration: Combination of both mentioned above. Examples: RSA Authentication Manager and Prime.
Depending on what "type" if integration is broken with the CAS, there will be different symptoms/effects:
- Authentication: Users will be unable to authenticate through the agent/client.
- Administration: API calls made to the CAS to do things such as gather logs or other administrative functions will be unsuccessful.
- Authentication and Administration: Combination of both mentioned above.
Various symptoms/effects of the new DigiCert certificates not being trusted by a given resource (ie 'non-compliant'):
- Users of ‘non-compliant’ versions of the RSA Mobile Authentication apps (RSA Authenticate/Authenticator) registered with the CAS will be limited to OTP Authentication only; all other authentication methods will fail.
- Users of ‘non-compliant’ agents/custom client integrations pointing to the CAS will no longer be able to authenticate.
- Users of ‘non-compliant’ versions of Authentication Manager (AM) connected to the CAS will find the connection between AM and CAS broken, typically resulting in AM operating in High Availability Mode, i.e. the only authentication method available to users will be OTP Authentication. AM will also be unable to fetch information from the CAS.
- Users of ‘non-compliant’ RSA Prime will no longer be able to use Prime to interact with CAS.
- API calls made to the CAS to do things such as gather logs or other administrative functions will be unsuccessful.
This article provides a set of high-level steps for determining if an integration breaking/no longer working with the Cloud Access Service (CAS) is due to the Entrust-to-DigiCert certificate change on the CAS, and how to resolve this if so.
Questions/decision tree to help narrow down if an integration no longer working is due to the Cloud Access Service (CAS) certificate change that occurred the week of October 6, 2025, and what is needed for the integration to work.
Steps for checking configuration/logs/etc. on the client/system side and importing a certificate varies per client/system, but the high-level steps below should help investigations. In terms of importing the new DigiCert root certificates, the following advisory includes detailed steps for this for RSA-developed agents/software and high-level steps for 3rd-party products: https://community.rsa.com/s/article/REMINDER-6-WEEKS-LEFT-to-complete-upgrade-when-using-RSA-CAS
A couple of the first questions that should be asked are:
- Is the Cloud Access Service used/involved in the integration? If no, then the certificate change should not be related.
- When did the integration stop working, or when did the issue start? If the CAS is used/involved in the integration, and the integration stopped working around the time of the certificate change on the CAS (week of October 6, 2025), then the certificate change could be related.
Additionally, what "type" of integration is having an issue: Authentication or Administrative? (Are users having trouble authenticating, or are Administrative API calls no longer working?):
Note that if SSL inspection or TLS termination is used by clients/systems for communicating with the CAS, then the proxy server(s), firewall(s), and/or load balancer(s) used for this communication with the CAS need to trust the new DigiCert certificates, otherwise any of the issues mentioned below can result from these network devices not trusting the new CAS DigiCert certificates (depending on the communication flow/network paths involved.)
- For Authentication type issues, these can be categorized into various scenarios. Follow the one that applies to the situation:
- Authentication client/agent is configured to point to the CAS and a CAS-registered authenticator is used to authenticate.
- If the RSA Authenticate app is being used, it must be migrated to the RSA Authenticator app (the RSA Authenticate app has reached EOPS.)
- If the RSA Authenticator app for iOS or Android and a method other than the Authenticate OTP is to be used, the app must be at least version 4.5.
- The authentication client/agent needs to trust the new DigiCert root certificate.
- Logs or a packet capture from the client side should show if not trusting the new root certificate is the issue.
- Authentication client/agent is configured to point to the CAS and an authentication method from Authentication Manager, such as a hardware of software token, is used to authenticate.
- The authentication client/agent needs to trust the new DigiCert root certificate.
- Logs or a packet capture from the client side should show if not trusting the new root certificate is the issue.
- The authentication client/agent needs to trust the new DigiCert root certificate.
- Authentication client/agent is configured to point to Authentication Manager (AM) where either AM is proxying the authentication request to the CAS and/or a CAS-registered authenticator is used to authenticate.
- If the RSA Authenticate app is being used, it must be migrated to the RSA Authenticator app (the RSA Authenticate app has reached EOPS.)
- If the RSA Authenticator app for iOS or Android and a method other than an OTP method is to be used, the app must be at least version 4.5.
- Authentication Manager needs to trust the new DigiCert root certificate.
- If the Cloud Access Service is not used/involved in the integration, then the certificate change should not be related.
- Authentication client/agent is configured to point to the CAS and a CAS-registered authenticator is used to authenticate.
- For Administration type issues:
1). Is the client/system making the failing API calls to the CAS? (If yes, proceed to next question; else, the change shouldn't be related.)
2). When did the integration stop working? (If during the week of October 6, 2025--the timeframe of the certificate change--then it could be that the client/system integrated with the CAS does not trust the new DigiCert root certificate. Importing the new Digicert root certificate into the client/system that is integrated with the CAS can be attempted for resolution, or if more evidence is needed before this can be done for some reason, the next question can be proceeded to.)
3). Does the client/system integrated with CAS trust the new Digicert root certificate? (If no, then it needs the new certificate. If yes, then something else may be causing the issue.) Logs or a packet capture from the client side should show if not trusting the new root certificate is the issue.
- For RSA Prime (if connected to CAS):
- If Prime is unable to fetch information from the CAS, then it could be that Prime needs to be updated with the new DigiCert root certificate.
- If users are unable to authenticate to Prime, such as to the Prime Self Service Portal (SSP), using a CAS-registered authenticator, then:
- If the RSA Authenticate app is being used, it must be migrated to the RSA Authenticator app (the RSA Authenticate app has reached EOPS.)
- If the RSA Authenticator app for iOS or Android is being used, then the app must be at least version 4.5.
- Prime needs to trust the new DigiCert root certificate.
- If the above three items have been verified, then Authentication Manager may also need to trust the new DigiCert root certificate in this scenario.
- For RSA Authentication Manager (if connected to CAS):
- If Authentication Manager (AM) is unable to fetch information from the CAS, then it could be that AM does not trust the new DigiCert root certificate.
- Various authentication scenarios require AM to be able to communicate with the CAS, and thus trust the new DigiCert root certificate (see "Authentication" and "RSA Prime" sections above.)
If needed, the new DigiCert root certificate ("DigiCert Global Root G2") and intermediary certificate ("DigiCert Global G2 TLS RSA SHA256 2020 CA1") can be obtained from https://www.digicert.com/kb/digicert-root-certificates.htm.
Related Articles
REMINDER: 6 WEEKS LEFT TO COMPLETE UPGRADE WHEN USING RSA CAS AND AVOID SERVICE DISRUPTION Number of Views REMINDER: 1 WEEK LEFT TO COMPLETE UPGRADE WHEN USING RSA CAS AND AVOID SERVICE DISRUPTION Number of Views REMINDER: 3 WEEKS LEFT TO COMPLETE UPGRADE WHEN USING RSA CAS AND AVOID SERVICE DISRUPTION Number of Views Authenticate OTP is not working in hybrid environment although the connection between the AM and CAS is working Number of Views Mandatory Certificate Upgrade Required by 6th October 2025 for RSA MFA Agent for PAM, RSA MFA Agent for Apache, and Third … Number of Views
Trending Articles
Passwordless Authentication in Windows MFA Agent for Active Directory – Quick Setup Guide RSA Authentication Manager Upgrade Process RSA Authentication Manager 8.9 Release Notes (January 2026) An example of SSO using SAML and ADFS with RSA Identity Management and Governance 6.9.x RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide
