For Pega Platform version 8.5 or later, Pega Platform automatically validates the hotfix file's digital certificate with the provider during installation. This ensures that the signature on the certificate is valid and that the certificate has not been revoked.
Verifying the authenticity of the Pega certificate
To validate the digital signatures in a hotfix file, Pega Platform first verifies that the Pega certificate included in the hotfix file is authentic. To authenticate the hotfix file, Pega Platform uses a certificate chain to ensure that the hotfix has been issued by a trusted root certificate.
If Pega Platform cannot verify the Pega certificate, you might be passing a custom trust store into the JVM. Ensure that this custom trust store includes the DigiCert Assured ID Root CA, which can be found at https://www.digicert.com/kb/digicert-root-certificates.htm.
Checking for revoked hotfix certificates automatically
Before you apply a hotfix, ensure that the URL of the certificate validation service is accessible to your Pega Platform application over your network.
These endpoint details are subject to change without notice, and if you cannot use the URL to complete a validation, contact Pegasystems Global Client Support to verify the current list of URLs that Pega uses to validate hotfix file certificates.
Checking for revoked hotfix certificates for offline systems
For Pega Platform version 8.5 or later with no outbound URL connection, you can still make sure that the Pega hotfix files have not been revoked before you install them. Check for revoked hotfix certificates by manually loading a certificate revocation list (CRL) to verify the certificate. Because CRLs expire frequently, you need to load the list each time before you install a hotfix.
- Run the
downloadAndPackageCRLs.batscript in the
scriptsdirectory of the distribution image, with an output directory as the only command line argument.
Result: The current CRLs are downloaded from the URLs embedded in the script, packaged into a
CRLs.jarfile, and placed in the output directory.
- Import the produced
CRLs.jarfile by using the import wizard. By default, this file is imported into the Customer code set; however, any active code set is acceptable.For more information, see Importing rules and data by using the Import wizard.
- Restart all the application servers in the cluster (or at least the ones that will be used for installing hotfixes) for the changes to take effect.