On December 5th, 2024, Losant is updating its root certificate. This update is required because the current root certificate will no longer be trusted by Mozilla’s CA Certificate Program. More details can be found in DigiCert’s knowledge base.
Previous root certificate: DigiCert Global Root CA
Updated root certificate: DigiCert Global Root G2
This update impacts devices that explicitly use the root certificate to verify TLS connections to the Losant platform. The following list contains the most common examples:
If your devices use root certificates to verify TLS connections and your devices do not contain the updated certificate, they will be unable to connect to the Losant platform after December 5th. Since TLS verification is performed by the device, it is not possible for Losant to determine which devices are impacted.
All versions of Losant’s Gateway Edge Agent (GEA) support the DigiCert Global Root G2 certificate. No GEA customers are impacted by this update.
Impacted devices must be updated to support the DigiCert Global Root G2 certificate before December 5th, 2024. You can download the root certificate files from Losant's MQTT documentation.
Your devices should support both the previous and updated root certificates to ensure a seamless transition. How root certificates are installed is specific to each device and OS. If your firmware requires a certificate file stored somewhere on disk, you can often combine both root certificates into a single file. You can see an example of this in Losant’s Python MQTT Client.
If you’re using the operating system to validate TLS connections, you’ll need to ensure your OS has the DigiCert Global Root G2 certificate installed. Most Linux distributions (e.g. Raspian and Ubuntu) have supported this root certificate since 2015. This certificate is also already included in all versions of Windows after Windows XP SP3. If you’re using a custom build of Linux (e.g. Yocto), you may be required to update your image. Refer to your operating system’s instructions for installing root certificates.
To test HTTPS connections, you can use the DigiCert Global Root G2 demo site. For example, to verify that your Linux distribution has the DigiCert Global Root G2 certificate installed, you can run one of the following commands:
curl https://global-root-g2.chain-demos.digicert.com/
wget https://global-root-g2.chain-demos.digicert.com/
If you do not receive a certificate warning or error, your Linux OS can successfully establish TLS connections using the DigiCert Global Root G2 certificate.
To test MQTTS connections, Losant has provided a temporary endpoint that uses the updated certificate:
Host: broker-g2root.losant.com
Port: 8883
This endpoint connects to the same MQTT broker that's located at broker.losant.com. It accepts the same device IDs, access keys, and access secrets. The only difference is that this test endpoint uses an updated TLS certificate signed by the DigiCert Global Root G2 certificate. This endpoint only accepts TLS connections over port 8883. If you attempt to form an insecure connection over port 1883, the connection will fail.
IMPORTANT: the test endpoint is temporary and will be removed when the new certificate goes live. Once your device has been updated to verify against both the current and updated root certificates, you must ensure the broker URL is set to broker.losant.com.
A root certificate is a public file that identifies the certificate authority that issued a TLS certificate. Root certificates are often used to verify the authenticity of a TLS-encrypted connection. When a client receives certificate information from a server, the client can verify that the certificate is valid by checking it against a known root certificate stored locally.
The DigiCert Global Root G2 root certificate will be trusted by Mozilla until April 15th, 2029. This means the next root certificate update will occur in approximately 4 years.
If you have questions about this update, please let us know on the Losant forums.