Security Certificate Help

Security Certificate Update

On August 2, 2017, DigiCert announced that it was purchasing all website and public key infrastructure (PKI) services from Symantec. This acquisition included Symantec subsidiaries Thawte, GeoTrust and RapidSSL. Once the transition was complete, a subsequent announcement was released notifying customers that, effective November 30, 2017, all certificates issued from DigiCert and its subsidiaries would use a new public key infrastructure (PKI) hierarchy.

What Was Changed?

The following changes will go into effect on February 28, 2019, when the National Student Clearinghouse renews our Extended Validation Certificate for secureapi.studentclearinghouse.org and demosecureapi.studentclearinghouse.org and went into effect on March 13, 2018, when the National Student Clearinghouse renewed our Extended Validation Certificate for secure.studentclearinghouse.org:

• DigiCert High Assurance EV Root CA (SHA1) will replace Thawte Primary Root CA (SHA1)
• DigiCert EV RSA CA 2018 (SHA256) will replace Thawte EV SSL CA – G3 Intermediate CA (SHA256)

Do I Need to Do Anything?

If you are accessing the National Student Clearinghouse programmatically using Student Self-Service via secureapi.studentclearinghouse.org then you must update your security certificates.

If you are accessing the National Student Clearinghouse directly using a web browser and operating system that has been fully patched, you should not be affected by this change. Edge, Internet Explorer, Firefox, Chrome, Safari, and most other current web browsers trust sites that use SSL certificates for secure communications using certificate authority (CA) trust chains, which are updated automatically when the browser is patched.

However, your IT department may need to make changes if you are experiencing connection problems to secure.studentclearinghouse.org and your application or service is configured to trust only the following:

• Thawte Primary Root CA
• Thawte EV SSL CA – G3 Intermediate CA
• secure.studentclearinghouse.org

Resolving Connection Problems

If you are having problems connecting to our services or have an application that is accessing the National Student Clearinghouse through the secure.studentclearinghouse.org, secureapi.clearinghouse.org, or demosecureapi.clearinghouse.org URLs, we recommend you take one of the following actions.

Download the following certificates and add them to your trust store. You may need to right-click the links below and select “Save target as…” in some browsers.

• DigiCert High Assurance EV Root CA directly from Thawte
• DigiCert EV RSA CA 2018 CA directly from Thawte
• NSC secureapi certificate
• NSC demosecure certificate

Incorporating the certificate into your systems to ensure your applications and services can communicate securely with NSC varies considerably from one technology to another. The following links may provide some guidance:

• Oracle Document – Managing Wallets and Certificates
• Oracle Document – How to Import a Trusted Certificate into the Package Keystore
• Adobe Document – How to import certificates to ColdFusion’s truststore

Additional Helpful Links

• DigiCert Article – DigiCert Completes Acquisition of Symantec Website Security and Related PKI Solutions
• DigiCert Article – Google’s SHA-1 Deprecation Plan for Chrome
• DigiCert Article – What is an SSL Certificate?
• Microsoft Article – Working with Certificates
• Email certhelp@studentclearinghouse.org to request further assistance