Authorize.net is changing the SSL/TLS certificates

[jtphelan]

Authorize.net is changing the SSL/TLS certificates that applications and websites use to communicate with its systems, moving from Entrust to DigiCert. This change will impact both browser-based and server-to-server interactions. Per authorize.net, this module will need to be updated by Oct 23, 2024.

https://support.authorize.net/knowledgebase/Knowledgearticle/?code=KA-05545

[mglaman]

The SDK has the following logic:

        if (isset($config['certificate_verify'])) {
            $this->certificateVerify = $config['certificate_verify'];
        } elseif ($cert = ini_get('curl.cainfo')) {
            $this->certificateVerify = $cert;
        } else {
            $this->certificateVerify = __DIR__ . '/../resources/cert.pem';
        }

The shipped certs are a fallback incase curl.cainfo isn't available, which it should be. However, we can update this to be safe.

[btmash]

Updating it would make a lot of sense as it ensures folks that don't have it set up would not be impacted. I downloaded the files from https://support.authorize.net/knowledgebase/Knowledgearticle/?code=000003009 but the combined cert file is quite a deal smaller than expected. Should anything else be getting added?

[btmash]

I think this is a pretty critical piece as I have a site on Acquia and looking at the phpinfo from there, curl.cainfo is not set.

As an alternative, do I just need a cacert.pem from https://curl.se/docs/caextract.html and then point to that in my php.ini file (via curl.cainfo)?

[rmcveigh]

PR #42 seems related to this issue.