RSA MFA Agent for PAM version 8.0.0 and later
In 2024, Google announced its plan to discontinue support for Entrust Certificate Authority (CA) in Google Services, such as Chrome, one of the most widely used web browsers, by October 2025. (Reference: Google Online Security Blog: Sustaining Digital Certificate Security - Entrust Certificate Distrust).
Prior to this announcement, RSA used Entrust CA in the RSA Cloud Access Service (formerly known as the RSA Cloud Authentication Service) and applications including RSA Authentication Manager, RSA Authenticate app, RSA Authenticator app, and RSA MFA Agent. RSA is moving to a new CA, DigiCert, which is already included in the latest versions of RSA Authentication Manager, RSA Authenticator app, and RSA MFA Agents.
Google will discontinue support for Entrust CA in Google services by October 2025.
To maintain trust and service continuity in RSA MFA Agent for PAM, DigiCert root and intermediate certificates must be added to the truststore used by RSA MFA Agent for PAM before week commencing Monday, October 6, 2025.
Note: No action is required for products connected to RSA Authentication Manager or RSA Authentication Manager Hybrid.
Obtain the updated certificate
- The updated certificate file, cert.pem, is included in the zip file available for download here.
- The file contains both Entrust and DigiCert certificates.
- Place this file under the default path:
/var/ace/
Configure the certificate
- Open the MFA configuration file located at: /var/ace/mfa_api.properties
- Locate the configuration parameter CA_CERT_FILE_PATH.
- The default location of the certificate file is: /var/ace/cert.pem
For example: CA_CERT_FILE_PATH=/var/ace/cert.pem - Edit the CA_CERT_FILE_PATH configuration parameter to specify this file path: CA_CERT_FILE_PATH=/var/ace/cert.pem
- Copy the cert.pem file to the /var/ace/ directory.
- Ensure the CA_CERT_FILE_PATH parameter is set correctly to points the cert.pem file.
No workaround is available. Complete the certificate update before October 6, 2025, to avoid service disruption.
- The update adds DigiCert certificates alongside Entrust certificates to ensure a seamless transition.
- This change affects only RSA MFA Agent for PAM 8.0.0 and later.
- Products connected to RSA Authentication Manager or Hybrid do not require this update.
Related Articles
Update DigiCert Certificates to Maintain Trust and Service Continuity in RSA MFA Agent for Apache Number of Views Hide or Show Agent Information in the User Dashboard Number of Views RSA Authenticator 4.6 for iOS and Android Quick Start Guide (Korean) Number of Views RSA Governance & Lifecycle Integration: Epic Electronic Medical Records EMR Summary Number of Views DSA-2020-134: RSA Identity Governance and Lifecycle Security Update for Intel Platform Vulnerabilities Number of Views
Trending Articles
RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide RSA MFA Agent 2.4 for Microsoft Windows Installation and Administration Guide Downloading RSA Authentication Manager license files or RSA Software token seed records How to configure RSA Authentication Manager 8.4 or later to send data to multiple remote syslog servers RSA Authentication Manager 8.9 Release Notes (January 2026)
