Skip to main content
Avalara Help Center

Avalara AvaTax SHA1 Certificate Change May 2017

Overview

On Wednesday, May 10th, between 4:30 p.m. and 7:30 p.m. PST, Avalara will update our SSL certificate on AvaTax. This is a standard process performed by SAAS companies all the time. Most likely this will not affect you, but some customers have asked us to let them know before we change our certificate.

You want to know if you need to update trusted certificates in your company’s environment to prepare for the change to SHA-256 signed certificates for Avalara AvaTax, and how to get those certificates.

Environment

AvaTax

Resolution

  • This change is occurring on May 10th, 2017 for Production and Development. 

  • We’re planning a May 10, 2017 replacement of the current AvaTax SHA-1 signed certificates with the more secure SHA-256 signed certificates.

    • If you've currently installed the SHA-1 certificate chain in your environment, download the new SHA-256 certificate chain and have them installed as trusted certificates in your environment before May 10, 2017. You can download the new chain now in preparation for the change.

  • The technical requirements to configure the new certificate chain will depend on the systems environment your company operates in.

    • You will need to refer to help resources specific to your company’s environment for importing trusted certificates.

  • For additional reference on the information security risks created by SHA-1 vulnerabilities, please see the following blog posts from Google and Qualsys.

  • We're not able to continue availability of a SHA-1 certificate beyond May 10, 2017

FAQ

What should I do?

  • Consult with your IT department to confirm if you are using a service URL (end point) for SHA-1 or require installation of the new certificate manually

How do you know if you have the SHA-1 certificate in your environment?

  • Consult with your IT department to confirm if you are using a certificate installed in your environment.

What does my IT department need to look for to find the SHA-1 certificate?

  • That depends on how your system is set up, they should have a record of which systems require manual installation of security certificates, but it depends on their processes as to how they will go about finding them. 

Can we continue using the SHA-1 endpoint provided last year?

  • No, this endpoint is not possible to continue using as we are unable to renew that certificate.

Should we restart our server to update to the new certificate?

  • It is best to discuss updating to the new certificate with your IT. Depending on your system, a new certificate chain may need to be downloaded.

What is SHA-1?

  • It is an encryption method intended to protect communication with our service.

Are there detailed steps I need to take for my Integration?

  • That depends on your integration, and how your IT has set up your system

  • Check your Configuration to ensure that you are connecting to the recommended URL (see user guide for your Integration if unsure where to review)

Does this pertain to our implementation?

  • Our recommended implementation uses our standard service URL where the certificate will be updated automatically

  • You may have also installed a certificate locally, consult with your IT department to confirm if you are using a certificate installed in your environment. 

What is changing?

  • The SSL certificate in use on the primary AvaTax service and the legacy SSLv3 URL is being replaced. The new SSL certificate will utilize a full SHA 256 certificate chain.

  • The SSL certificate in use on the legacy SHA 1 URL is being replaced by an Avalara signed SHA 1 SSL certificate

    • THIS WILL NOT BE A PUBLICLY SIGNED SSL CERTIFICATE. IT WILL BE SIGNED BY AN AVALARA OWNED INTERNAL CERTIFICATE AUTHORITY.

    • Third party certificate authorities will no longer issue SHA 1 SSL Certificates. Additional information on SHA 1 Certificate deprecation can be found on Symantec’s website

    • Avalara will remove support for the following Cipher suites:

      • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
      • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
      • TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
      • TLS_DHE_RSA_WITH_AES_256_CBC_SHA
      • TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
      •  TLS_DHE_RSA_WITH_AES_128_CBC_SHA
      • TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
    • Support for Perfect Forward Secrecy (PFS)will be implemented. Perfect Forward Secrecy ensures that keys used to encrypt data are automatically and frequently changed, limiting the impact of a compromised encryption key. More information about Perfect Forward Secrecy can be found in this article in Wired magazine.

What does this mean for you?

  • For most customers, this change will be transparent.

  • However, customers who are performing additional certificate validation steps or whose systems do not support SHA 256 SSL certificates, or who require SSLv3, may need to make changes to avoid service disruption. Test URLs have been created for all of these use cases.

    • Customers who have installed the current AvaTax SSL certificate on their systems and are using it as part of certificate validation will need to install the named SHA 256 certificate attached in this email.

    • Customers who cannot support SHA 256 certificates will need to either add the attached Avalara signed SHA 1 root and intermediate certificates as trusted certificates or create a web proxy that supports SHA 256 certificates.

    • Customers who require SSLv3 support will need to use legacy SSLv3 Avalara AvaTax URLs.

  • To be absolutely sure this change will not impact you, please use the test URLs to test this change. These URLs are temporary and should only be used for testing purposes. 

What are the URLs I can use for testing?

 

How can I test?

  • The best way to test is to use AvaTax (calculate tax) while pointed at the test URL (with one of the above test URLs in your configuration).