Which Certificate Authority Signs the Contrast Server Certificates?

  • Updated


Which Certificate Authority Signs the Contrast Server Certificates?


In Mid November of 2021, Contrast migrated its TLS certificate authority from Amazon Root CA to GlobalSign. The GlobalSign root certificate comes bundled with most applications, operating systems, and platforms and is already trusted as a root certificate authority. However, if you previously needed to add a root certificate authority for Contrast you may need to add the GlobalSign root certificate to your trusted root certificate authorities.

The GlobalSign Root Certificate can be found here: GlobalSign Root Certificates :: GlobalSign Support (R3 GlobalSign Root Certificate). Customers can use the Serial Number and Thumbprint information listed to validate the R3 GlobalSign Root Certificate is a trusted root certificate authority and use the download link to obtain the certificate if it needs to be added.

If you have any questions or concerns please contact the Contrast Support Team by submitting a ticket to our online support portal. 

Example Verification Commands

GlobalSign provides a test URL that can be used to validate the root certificate is trusted. The specific method of validation will vary widely based on your infrastructure, but these are some example commands.

Note: The test system firewalls must be opened to https://valid.r3.roots.globalsign.com/ and support TLS 1.2 for the test to work.

These tests are successful if certificate information is returned (as pictured below). If they are unsuccessful, please contact the Contrast Support Team by submitting a ticket to our online support portal. 

Using the Contrast Java Agent

java -Dcontrast.api.url=https://valid.r3.roots.globalsign.com/ -jar contrast.jar diagnostic
*** Contrast Agent (version
[!] Attempting to connect to the Contrast TeamServer at https://valid.r3.roots.globalsign.com/ (No proxy).
[!] Attempting to resolve domain: valid.r3.roots.globalsign.com
	Resolved domain valid.r3.roots.globalsign.com to IP Address
[+] Client successfully resolved the DNS of the Contrast TeamServer.
[!] Issuing HTTP request to Contrast...
	Executing request...
	Reading response [200]
	Response size = 1797
	Snippet: <!doctype html> <html lang="en"> <head> <title>GlobalSign Ro
[+] Client can connect directly to the Contrast TeamServer. No proxy needed.

Using the Contrast .NET Agent Diagnostic Utility from PowerShell

.\contrast-dotnet-diagnostics.exe connect
2021-11-02 16:51:25.6943|INFO|NLogManager|Applying new log level 'warn' (Warn).
Diagnostics running as '.NET Core' on Windows (x64), Non-Azure.

2021-11-02 16:51:26.2726|FATAL|FileConfigValueSource|Using yaml config file from 'C:\ProgramData\contrast\dotnet\contrast_security.yaml'.
Testing connection to Contrast ('https://valid.r3.roots.globalsign.com/').
Received NotFound from Contrast for endpoint: /Contrast/s/api/dotnet/newer/ (Not Found)
Diagnostic successfully connected to Contrast!

Using cURL

$ curl https://valid.r3.roots.globalsign.com/

<!doctype html>
<html lang="en">
<title>GlobalSign Root CA - R3</title>
<link rel="globalsign" href="/favicon.ico" />
<link rel="stylesheet" type="text/css" href="default.css">
<h1>GlobalSign Root CA - R3</h1>

<h2>Expected page status: Valid</h2>

OU=GlobalSign Root CA - R3</br>
Serial number=04 00 00 00 00 01 21 58 53 08 a2</br>
Valid from=18 March 2009</br>
Valid to=18 March 2029</br>
Download url=http://secure.globalsign.com/cacert/root-r3.crt</br></br>

Using OpenSSL

❯ openssl s_client -connect valid.r3.roots.globalsign.com:443 -servername valid.r3.roots.globalsign.com
depth=2 OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
verify return:1
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Extended Validation CA - SHA256 - G3
verify return:1
depth=0 businessCategory = Private Organization, serialNumber = 578611, jurisdictionCountryName = US, jurisdictionStateOrProvinceName = New Hampshire, C = US, ST = New Hampshire, L = Portsmouth, street = "2 International Drive, Suite 150", O = "GMO GlobalSign, Inc.", CN = valid.r3.roots.globalsign.com
verify return:1
Certificate chain
0 s:/businessCategory=Private Organization/serialNumber=578611/jurisdictionCountryName=US/jurisdictionStateOrProvinceName=New Hampshire/C=US/ST=New Hampshire/L=Portsmouth/street=2 International Drive, Suite 150/O=GMO GlobalSign, Inc./CN=valid.r3.roots.globalsign.com
i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Extended Validation CA - SHA256 - G3
1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Extended Validation CA - SHA256 - G3
i:/OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign


Using PowerShell

[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
$returnobj = [ordered]@{
    URL = $computer;
    Port = $port;
    Subject = $certinfo.Subject;
    Thumbprint = $certinfo.GetCertHashString();
    Issuer = $certinfo.Issuer;
    SerialNumber = $certinfo.GetSerialNumberString();
    Issued = [DateTime]$certinfo.GetEffectiveDateString();
    Expires = [DateTime]$certinfo.GetExpirationDateString();
new-object PSCustomObject -Property $returnobj 
URL          : valid.r3.roots.globalsign.com
Port         : 443
Subject      : CN=valid.r3.roots.globalsign.com, O="GMO GlobalSign, Inc.", STREET="2 International Drive, Suite 150", L=Portsmouth, S=New Hampshire, C=US, OID. Hampshire,
               OID., SERIALNUMBER=578611, OID. Organization
Thumbprint   : 018B73CFAAA568137298E8136717A1B519B055D9
Issuer       : CN=GlobalSign Extended Validation CA - SHA256 - G3, O=GlobalSign nv-sa, C=BE
SerialNumber : 540392323411D0ADEAB14AD3
Issued       : 5/21/2020 4:11:03 AM
Expires      : 5/22/2022 4:11:03 AM 

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request