SSL Certificates

GTA protects its websites using SSL certificates, currently provided by:

&

The GeoTrust certificates will be used on the domains that are not ‘CDN’ enabled.

The DigiCert certificate will be used for our clients making use of the CDN acceleration.

For further information on CDN please refer to the ‘CDN – FAQ.doc’, on our client support site under ‘SSL Certificates’.

Certificates are renewed on average every 2 years and we may renew the certificates on our system up to 2 months before the expiry date of the certificates.

In order for clients to “trust” our certificate the Certificate Authority needs to be trusted as well as any intermediate certificate the authority has (if applicable). Clients must make sure the application that sends XML requests to us is set up to “trust” our authority’s certificates.

Clients should not install our site level certificate (e.g.: “*.gta-travel.com”) because when we update/renew them, the client’s application may not work. The certificate could also be issued in a different way, so the client’s system will not recognise the certificate anymore and will not be able to connect to our system without maintenance. The company we are sourcing the certificate from holds the right to change the certificate structure.

All clients must use TLSv1.2. We no longer support the use of SSLv3 or older as they have been identified to contain SSL vulnerabilities. In the near future we will stop supporting TLSv1.0 due to the further SSL vulnerabilities. 

Clients must support the use of Subject Alternative Name (SAN) certificates when the DigiCert certificate is in use. Failure to support this feature will result in SSL errors.

Most client’s application servers, e.g.: IIS, Jboss, Tomcat, etc. will have an up-to-date list of Certificate Authorities’ certificates within their configuration, but some applications may be out of date and certain new, trusted authorities may not be recognised by the client’s application.

Clients need to make sure that their applications have up-to-date Certificate Authorities lists (or Trust Lists).

Below are some links that supply further details on this:

IIS 5.0: http://support.microsoft.com/kb/313071 

IIS 6.0: http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/6e8034d4-c5fc-4b98-a9de-44075de5a589.mspx?mfr=true

or

http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/559bb9d5-0515-4397-83e0-c403c5ed86fe.mspx?mfr=true (section on Trust Lists)

 For Java based applications like Jboss or Tomcat: Your documentation provided with the application should contain instructions on how to do this; GTA has used a tool called ‘KeyTool Explorer’ to add new Certificate Authorities to the “cacerts” key store in the GTA applications.

 Our current certificate can be downloaded from our web sites as follow:

  1. Change the URL  from HTTP to HTTPS
  2. Click on the padlock icon in the browser and the certificate will pop up:

 Here the expiry date of the certificate will show.

By clicking on the ‘Certification Path’ tab it is possible to see all the applicable layers of the certificate:

The top two levels need to be trusted in the client’s application, but not the third one.

When using a browser to get this certificate we recommend not to use Firefox as they have introduced stringent policies in regards to Certificate Authorities due to which clients are unable to access a certificate easily when one is required. Microsoft IE has not added such restrictions.

CDN Communication

CDN - FAQ - Updated

CDN Certificates

Certificates for Stage Environment

Certificates for Production Environment

 

 

Docs Navigation