On December 5th, 2024, Losant is updating its root certificate. This update impacts devices that explicitly use the root certificate to verify TLS connections to the Losant platform.
If your devices use root certificates to verify TLS connections and your devices do not contain the updated certificate, they will be unable to connect to the Losant platform after December 5th.
Edit: We have extended the deadline from August 1st to December 5th to give customers more time to update their devices.
For addition information and mitigation steps, please review the full blog article:
If you would like to test your hardware to see if it can connect securely using the new root certificate, connect to our broker at broker-g2root.losant.com. This is only supported on port 8883 (mqtts protocol).
If the device successfully establishes a secure connection at that host, then it will also succeed when we make the switch on broker.losant.com on August 1.
Note that broker-g2root.losant.com is only available temporarily to allow our users to test their hardware against the upcoming root certificate change; you should not utilize this endpoint for sustained device connections.
Why change the root certificate on August 1, 2024 when the trust of the current cert by Mozilla’s CA Certificate Program doesn’t expire until April 15, 2025?
We have a number of devices which do not support two certificates.
I have tested using the new cert, and temporary broker, and it works OK.
How should I best manage the switchover. Is there a possibility of both certificates being accepted for a period of time, allowing us to switchover in a controller manner?
We’re looking into the possibility of bringing up another temporary endpoint that will remain on the old cert. This way you could switch to that endpoint now and remain connected after the production endpoint changes. You can then issue the required commands to switch the devices to the production endpoint with the updated certificate.
Is there a possibility that the main MQTT broker (broker.losant.com) could accept both old and new certs for a period of time after Dec 5th?
This will allow more time for systems that are shipped but not been deployed yet (and won’t be before Dec 5th) to get an update. As per current plan of hard cut-off Dec 5th, those systems will not get a chance to connect and receive the new cert because they’re on the old cert.
Is the new root cert currently accepted on the main MQTT endpoint (broker.losant.com)?
If possible this will help us test our release candidate firmware (with old+new cert) against the main broker, as opposed to changing the endpoint to the test one just for the purpose of testing.
In effect it’ll reduce our testing to half, because we can just test against the main MQTT broker as opposed to main+test MQTT brokers.
Is there a possibility that the main MQTT broker (broker.losant.com) could accept both old and new certs for a period of time after Dec 5th?
No, sorry; servers can only provide one certificate to the client at a time.
Is the new root cert currently accepted on the main MQTT endpoint (broker.losant.com)?
The MQTT broker is currently using a certificate signed with the old root cert. While that certificate is valid until August 2025, clients will stop trusting that certificate sometime in April 2025. We’ll be switching broker.losant.com’s certificate to one signed with the new root cert on December 5th, 2024.
For testing purposes, we have another broker endpoint set up at broker-g2root.losant.com and its SSL is signed using the new root cert.
If I am reading this correctly, the Mozilla distrust date is “April 15, 2026” for “DigiCert Global Root CA”.
That doesn’t line up with either Aug 2025 or Apr 2025.
For those interested, we have merged the old and new certificates together, and both the existing broker and test broker accept the new modified certificate.