RSA MFA Agent for Apache version 9.0.0 and later
In 2024, Google announced its plan to discontinue support for Entrust Certificate Authority (CA) in Google Services, such as Chrome, one of the most widely used web browsers, by October 2025. (Reference: Google Online Security Blog: Sustaining Digital Certificate Security - Entrust Certificate Distrust).
Prior to this announcement, RSA used Entrust CA in the RSA Cloud Access Service (formerly known as the RSA Cloud Authentication Service) and applications including RSA Authentication Manager, RSA Authenticate app, RSA Authenticator app, and RSA MFA Agent. RSA is moving to a new CA, DigiCert, which is already included in the latest versions of RSA Authentication Manager, RSA Authenticator app, and RSA MFA Agents.
Google will discontinue support for Entrust CA in Google services by October 2025.
To maintain trust and service continuity in RSA MFA Agent for Apache, DigiCert root and intermediate certificates must be added to the truststore used by RSA MFA Agent for Apache before the week commencing Monday, October 6, 2025.
Note: No action is required for products connected to RSA Authentication Manager or RSA Authentication Manager Hybrid.
Obtain the updated certificate
- The updated certificate file (cert.pem) is included in the zip file available for download here.
- The file contains both Entrust and DigiCert certificates.
- Place this file in the following path: /etc/ssl/certs/
Configure the certificate
- Open the RSA Web Agent configuration file located at: /etc/httpd/rsawebagent/RSAWebAgent.INI
- Locate the configuration parameter: ServerCertificationLoc
- The default location of the certificate is: /etc/ssl/certs/cert.pem
Example: ServerCertificationLoc=/etc/ssl/certs/cert.pem - Copy the cert.pem file from the zip archive to the /etc/ssl/certs/ directory.
- Ensure that the ServerCertificationLoc parameter points to the correct path of the cert.pem file.
Restart the Apache server
Run the following commands:
- httpd -k stop
- httpd -k start
No workaround is available. Complete the certificate update before October 6, 2025, to avoid service disruption.
- The update adds DigiCert certificates alongside Entrust certificates to ensure a seamless transition.
- This change affects only RSA MFA Agent for Apache version 9.0.0 and later.
- Products connected to RSA Authentication Manager or Hybrid do not require this update.
Related Articles
Update DigiCert Certificates to Maintain Trust and Service Continuity in RSA MFA Agent for PAM Number of Views Announcement: End of Primary Support for RSA Authentication Agents for Microsoft IIS and Apache Number of Views Apache 2.x fails to start after configuring the RSA Authentication Agent 8.0 for Web for Apache Number of Views RSA Announces RSA Authentication Agent 7.1.0.1 for PAM Support for SUSE Linux 12 SP1 Number of Views Review User Entitlement Coverage Number 'Total Ents Not in Review" is sometimes negative in RSA Identity Governance & Life… Number of Views
Trending Articles
Passwordless Authentication in Windows MFA Agent for Active Directory – Quick Setup Guide RSA Authentication Manager Upgrade Process RSA Authentication Manager 8.9 Release Notes (January 2026) An example of SSO using SAML and ADFS with RSA Identity Management and Governance 6.9.x RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide
