Important: Security Certificate Upgrades on May 26th
Authorize.Net is upgrading our infrastructure to enhance system performance and security. On May 26, 2015, we are upgrading to new security certificates, which are signed using Security Hash Algorithm 2 (SHA-2) and 2048-bit signatures. Most modern operating systems and web servers support certificates that use SHA-2, however, there is a concern that older software--especially software based on outdated versions of Java--may not.
If any updates are necessary, please refer your web developer to this blog post in our Developer Community, which has all of the certificate information they will need for this update. Our sandbox environment has already been updated so that your developer can validate that your solution will continue to work using SHA-2 signed certificates, prior to May 26th.
After the update is complete on May 26th, any website or payment solution that cannot validate SHA-2 signed certificates will fail to connect to Authorize.Net's servers.
Some have been saying that your ColdFusion 8 CFHTTP using Java 1.6.0_nn will no longer work with Authorize.net. We've found this to not be the case. We have a crack team of ColdFusion Guru's here at CF Webtools and we've been testing for the potential fall out of these and other SSL upgrades for a few months. Personally, I have a testbed system here with ColdFusion versions 8, 9, 10 and 11 and that is setup for testing CFHTTP and SSL issues and I can easily test the same CFHTTP code on each ColdFusion version with each version of Java from 1.6 to 1.8. Another member of our team has been working with support at Authorize.net to ensure the upgrade to their SSL will work with existing ColdFusion 8 on Java 1.6 installations.
The Authorize.net support team has been saying to use the test URL show in the code snippet below to ensure that your code and server will work with the upgraded SSL certificates. The test URL is already using a SHA-2 (256-Bit) SSL.
You should get a 200 Response with an error saying "The merchant login ID or password is invalid or the account is inactive.". This means that you've made a successful SSL connection, but you didn't provide any authorization credentials. If you get this you're good to go for the upgraded SHA-2 (256bit) SSL Certificates.
Our testing was first done on ColdFusion 8 with Java 1.6.0_45. This configuration worked WITHOUT any changes to the Java KeyStore or to the standard ColdFusion 8 CFHTTP call.
The same held true for our testing of the same code snippet with ColdFusion 9 on both Java 1.6 and Java 1.7, ColdFusion 10 on Java 1.7 and Java 1.8 and ColdFusion 11 on Java 1.7 and Java 1.8.
If you are on an older version of Java then you may need to do one of the following; upgrade the Java version you are running, import the certificate key chain into the the Java KeyStore or replace the Java KeyStore with one from a new version of Java. We tested all three and they work. See the Muse post for Trusted Keystore instructions.
We are able to say with great confidence that the SHA-2 (256-bit) SSL Certificate change will work with ColdFusion 8 on Java 1.6.0_45 and up.
Update - 5/29/2015
We just had a company contact us today to help them get their website that is using ColdFusion 7 on Java 1.4 to work with Authorize.net. I had my initial doubts because that version of Java is really old. But after importing the required certificates into the Java Keystore they were able to process transactions through Authorize.net again. I was surprised.