Skip to main content

Automatically verifying hotfix files during installation

Suggest edit
Updated on September 1, 2021

For Pega Platform version 8.5 or later, Pega Platform automatically validates the hotfix file's digital certificate with the provider during installation. This ensures that the signature on the certificate is valid and that the certificate has not been revoked.

If the file cannot be verified, you cannot complete the installation. Contact Pegasystems Global Client Support if you are unable to install hotfix files.

Verifying the authenticity of the Pega certificate

To validate the digital signatures in a hotfix file, Pega Platform first verifies that the Pega certificate included in the hotfix file is authentic. To authenticate the hotfix file, Pega Platform uses a certificate chain to ensure that the hotfix has been issued by a trusted root certificate.

For hotfix verification, Pega uses the DigiCert Assured ID Root CA. This DigiCert certificate must be in the trust store supplied to the Pega Platform JVM. If you have not customized the JVM's trust store, this should be available by default.

If Pega Platform cannot verify the Pega certificate, you might be passing a custom trust store into the JVM. Ensure that this custom trust store includes the DigiCert Assured ID Root CA, which can be found at

Checking for revoked hotfix certificates automatically

Before you apply a hotfix, ensure that the URL of the certificate validation service is accessible to your Pega Platform application over your network.

If your application uses firewalls to block outside connections, add the latest validation HTTP endpoints, using port 80, and the appropriate details to your firewall allow lists. These endpoints are:

These endpoint details are subject to change without notice, and if you cannot use the URL to complete a validation, contact Pegasystems Global Client Support to verify the current list of URLs that Pega uses to validate hotfix file certificates.

Checking for revoked hotfix certificates for offline systems

For Pega Platform version 8.5 or later with no outbound URL connection, you can still make sure that the Pega hotfix files have not been revoked before you install them. Check for revoked hotfix certificates by manually loading a certificate revocation list (CRL) to verify the certificate. Because CRLs expire frequently, you need to load the list each time before you install a hotfix.

Note: Checking for revoked hotfix files is recommended only when you are installing hotfix files on a system that does not allow outbound URL connections and you are not using third-party tools to verify the files. This method only checks to make sure that your hotfix files have not been revoked by Pega and does not verify the signature with the digital certificate provider.

  1. Run the or downloadAndPackageCRLs.bat script in the scripts directory of the distribution image, with an output directory as the only command line argument.
    ./ /output/directory
    Result: The current CRLs are downloaded from the URLs embedded in the script, packaged into a CRLs.jar file, and placed in the output directory.
  2. Import the produced CRLs.jar file by using the import wizard. By default, this file is imported into the Customer code set; however, any active code set is acceptable.
  3. Restart all the application servers in the cluster (or at least the ones that will be used for installing hotfixes) for the changes to take effect.
  • Previous topic Verifying the authenticity of hotfix files
  • Next topic Manually verifying hotfix files by using third-party tools
Did you find this content helpful? YesNo

Have a question? Get answers now.

Visit the Support Center to ask questions, engage in discussions, share ideas, and help others.

We'd prefer it if you saw us at our best. is not optimized for Internet Explorer. For the optimal experience, please use:

Close Deprecation Notice
Contact us