Actions Required before the Current Menlo Security Root Certificate expires in November 2025

Ted Chu
Ted Chu
  • Updated

MSIP relies on a root certificate managed by Menlo Security, Inc. The current root certificate will expire on 9th November 2025.  This requires a new root certificate to be issued and deployed for continued operation of MSIP beyond that date.

The new root certificate with a validity time of 20 years will be made available in March 2025 and needs to be deployed to target client computers before 9th November 2025.

Note:  Further details will be provided when the new certificate becomes available.

Although customers can choose to perform the renewal process at any time between November 2024 and 9th November 2025, Menlo recommends that the rollout of the new root certificate be completed by 1st October 2025, to ensure business continuity. 


Actions

This article outlines the steps required for system administrators to perform the process to ensure a successful renewal. 

  1. Acquire the new root certificate, once available, by following the steps outlined in the KB article  Menlo Security Production SSL Inspection Root CA Certificate.
  2. Utilize the same method your organization currently employs to distribute the root certificate, for deploying the new root certificate to the target client computers.
  3. Once you have distributed the new root certificate and confirmed proper operation, you can optionally remove the previous root certificate at any point either before or after its expiration on 9th November 2025.

Impact on end users:

There is no configuration needed for end users, who will continue to browse the internet as usual without noticing the rollout. 


FAQ

Why is it necessary to roll out the new root certificate?

As the current root certificate will expire on 9th November 2025, the verification of the certificate chain will fail, which will lead to service disruption of MSIP. A new root certificate is needed with a new validity date to ensure service availability of the MSIP service.

As an end user, what do I need to do?

There is nothing an end user needs to do as the process is transparent and seamless from the perspective of an end user. 

What browsers are supported by the new root certificate?

All browsers supported by MSIP will continue to work with the new root certificate.

What operating systems are supported by the new root certificate?

All operating systems supported by MSIP will continue to work with the new root certificate.

As an administrator, can I leave the current root certificate on target client computers beyond 9th November 2025? Will it cause any problems if I do so?

It will not cause problems to have both the current root certificate and the new root certificate on the target client computers. 

Does the rollout of the new root certificate on the target client computers require a reboot?

No. A reboot isn’t needed after the new root certificate is deployed onto a target client computer.

 


Applies to: Cloud
Date Written: October 2024


Was this article helpful?

0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.