Which Certificate Authority Signs the Contrast Server Certificates?

  • Updated

Question

Which Certificate Authority Signs the Contrast Server Certificates?

Answer

In Mid November of 2021, Contrast migrated its TLS certificate authority from Amazon Root CA to GlobalSign. The GlobalSign root certificate comes bundled with most applications, operating systems, and platforms and is already trusted as a root certificate authority. However, if you previously needed to add a root certificate authority for Contrast you may need to add the GlobalSign root certificate to your trusted root certificate authorities.

The GlobalSign Root Certificate can be found here: GlobalSign Root Certificates :: GlobalSign Support (R3 GlobalSign Root Certificate). Customers can use the Serial Number and Thumbprint information listed to validate the R3 GlobalSign Root Certificate is a trusted root certificate authority and use the download link to obtain the certificate if it needs to be added.

If you have any questions or concerns please contact the Contrast Support Team by submitting a ticket to our online support portal. 

Example Verification Commands

GlobalSign provides a test URL that can be used to validate the root certificate is trusted. The specific method of validation will vary widely based on your infrastructure, but these are some example commands.

Note: The test system firewalls must be opened to https://valid.r3.roots.globalsign.com/ and support TLS 1.2 for the test to work.

These tests are successful if certificate information is returned (as pictured below). If they are unsuccessful, please contact the Contrast Support Team by submitting a ticket to our online support portal. 

Using the Contrast Java Agent

java -Dcontrast.api.url=https://valid.r3.roots.globalsign.com/ -jar contrast.jar diagnostic
*** Contrast Agent (version 3.8.9.22387)
[!] Attempting to connect to the Contrast TeamServer at https://valid.r3.roots.globalsign.com/ (No proxy).
[!] Attempting to resolve domain: valid.r3.roots.globalsign.com
	Resolved domain valid.r3.roots.globalsign.com to IP Address 185.140.80.46
[+] Client successfully resolved the DNS of the Contrast TeamServer.
[!] Issuing HTTP request to Contrast...
	Executing request...
	Reading response [200]
	Response size = 1797
	Snippet: <!doctype html> <html lang="en"> <head> <title>GlobalSign Ro
[+] Client can connect directly to the Contrast TeamServer. No proxy needed.

Using the Contrast .NET Agent Diagnostic Utility from PowerShell

$env:CONTRAST__API__URL='https://valid.r3.roots.globalsign.com/'
.\contrast-dotnet-diagnostics.exe connect
2021-11-02 16:51:25.6943|INFO|NLogManager|Applying new log level 'warn' (Warn).
Diagnostics running as '.NET Core' on Windows (x64), Non-Azure.

2021-11-02 16:51:26.2726|FATAL|FileConfigValueSource|Using yaml config file from 'C:\ProgramData\contrast\dotnet\contrast_security.yaml'.
Testing connection to Contrast ('https://valid.r3.roots.globalsign.com/').
Received NotFound from Contrast for endpoint: /Contrast/s/api/dotnet/newer/1.0.0.0. (Not Found)
Diagnostic successfully connected to Contrast!

Using cURL

$ curl https://valid.r3.roots.globalsign.com/

<!doctype html>
<html lang="en">
<head>
<title>GlobalSign Root CA - R3</title>
<link rel="globalsign" href="/favicon.ico" />
<link rel="stylesheet" type="text/css" href="default.css">
</head>
<body>
<h1>GlobalSign Root CA - R3</h1>

<h2>Expected page status: Valid</h2>

<h3>
CN=GlobalSign</br>
O=GlobalSign</br>
OU=GlobalSign Root CA - R3</br>
Serial number=04 00 00 00 00 01 21 58 53 08 a2</br>
Valid from=18 March 2009</br>
Valid to=18 March 2029</br>
Download url=http://secure.globalsign.com/cacert/root-r3.crt</br></br>
Base64
</h3>
<pre>
-----BEGIN CERTIFICATE-----
MIIDXzCCAkegAwIBAgILBAAAAAABIVhTCKIwDQYJKoZIhvcNAQELBQAwTDEgMB4G
A1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjMxEzARBgNVBAoTCkdsb2JhbFNp
Z24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMDkwMzE4MTAwMDAwWhcNMjkwMzE4
MTAwMDAwWjBMMSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMzETMBEG
A1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAMwldpB5BngiFvXAg7aEyiie/QV2EcWtiHL8
RgJDx7KKnQRfJMsuS+FggkbhUqsMgUdwbN1k0ev1LKMPgj0MK66X17YUhhB5uzsT
gHeMCOFJ0mpiLx9e+pZo34knlTifBtc+ycsmWQ1z3rDI6SYOgxXG71uL0gRgykmm
KPZpO/bLyCiR5Z2KYVc3rHQU3HTgOu5yLy6c+9C7v/U9AOEGM+iCK65TpjoWc4zd
QQ4gOsC0p6Hpsk+QLjJg6VfLuQSSaGjlOCZgdbKfd/+RFO+uIEn8rUAVSNECMWEZ
XriX7613t2Saer9fwRPvm2L7DWzgVGkWqQPabumDk3F2xmmFghcCAwEAAaNCMEAw
DgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFI/wS3+o
LkUkrk1Q+mOai97i3Ru8MA0GCSqGSIb3DQEBCwUAA4IBAQBLQNvAUKr+yAzv95ZU
RUm7lgAJQayzE4aGKAczymvmdLm6AC2upArT9fHxD4q/c2dKg8dEe3jgr25sbwMp
jjM5RcOO5LlXbKr8EpbsU8Yt5CRsuZRj+9xTaGdWPoO4zzUhw8lo/s7awlOqzJCK
6fBdRoyV3XpYKBovHd7NADdBj+1EbddTKJd+82cEHhXXipa0095MJ6RMG3NzdvQX
mcIfeg7jLQitChws/zyrVQ4PkX4268NXSb7hLi18YIvDQVETI53O9zJrlAGomecs
Mx86OyXShkDOOyyGeMlhLxS67ttVb9+E7gUJTb0o2HLO02JQZR7rkpeDMdmztcpH
WD9f
-----END CERTIFICATE-----
</pre>
</body>
</html>

Using OpenSSL

❯ openssl s_client -connect valid.r3.roots.globalsign.com:443 -servername valid.r3.roots.globalsign.com
CONNECTED(00000005)
depth=2 OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
verify return:1
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Extended Validation CA - SHA256 - G3
verify return:1
depth=0 businessCategory = Private Organization, serialNumber = 578611, jurisdictionCountryName = US, jurisdictionStateOrProvinceName = New Hampshire, C = US, ST = New Hampshire, L = Portsmouth, street = "2 International Drive, Suite 150", O = "GMO GlobalSign, Inc.", CN = valid.r3.roots.globalsign.com
verify return:1
---
Certificate chain
0 s:/businessCategory=Private Organization/serialNumber=578611/jurisdictionCountryName=US/jurisdictionStateOrProvinceName=New Hampshire/C=US/ST=New Hampshire/L=Portsmouth/street=2 International Drive, Suite 150/O=GMO GlobalSign, Inc./CN=valid.r3.roots.globalsign.com
i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Extended Validation CA - SHA256 - G3
1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Extended Validation CA - SHA256 - G3
i:/OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
---

<OUTPUT REMOVED>

Using PowerShell

[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
$certinfo=[Net.HttpWebRequest]::Create("https://valid.r3.roots.globalsign.com:443/").ServicePoint.Certificate
$returnobj = [ordered]@{
    URL = $computer;
    Port = $port;
    Subject = $certinfo.Subject;
    Thumbprint = $certinfo.GetCertHashString();
    Issuer = $certinfo.Issuer;
    SerialNumber = $certinfo.GetSerialNumberString();
    Issued = [DateTime]$certinfo.GetEffectiveDateString();
    Expires = [DateTime]$certinfo.GetExpirationDateString();
}
new-object PSCustomObject -Property $returnobj 
URL          : valid.r3.roots.globalsign.com
Port         : 443
Subject      : CN=valid.r3.roots.globalsign.com, O="GMO GlobalSign, Inc.", STREET="2 International Drive, Suite 150", L=Portsmouth, S=New Hampshire, C=US, OID.1.3.6.1.4.1.311.60.2.1.2=New Hampshire,
               OID.1.3.6.1.4.1.311.60.2.1.3=US, SERIALNUMBER=578611, OID.2.5.4.15=Private Organization
Thumbprint   : 018B73CFAAA568137298E8136717A1B519B055D9
Issuer       : CN=GlobalSign Extended Validation CA - SHA256 - G3, O=GlobalSign nv-sa, C=BE
SerialNumber : 540392323411D0ADEAB14AD3
Issued       : 5/21/2020 4:11:03 AM
Expires      : 5/22/2022 4:11:03 AM 

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request