Overview
Mastercard is changing Certificate Authority (CA) providers, announcing a transition from Entrust CA to DigiCert CA for secure connections to its services. This change, published in Mastercard’s February 6th, 2025, release, impacts all clients integrating Pega Smart Dispute (SD) with Mastercard and requires immediate action to avoid service disruptions.
Impact
Clients using Pega Smart Dispute with Mastercard integrations must update their trust stores to replace Entrust CA with DigiCert CA. Failure to update may result in transaction failures, authentication errors, and service disruptions.
The impacted Mastercard service domains, along with deployment timelines, are as follows:
| Domain | Certificate Deployment Date |
|---|---|
| api.mastercard.com (Production) | 9 April 2025 |
| sandbox.api.mastercard.com (Sandbox) | 24 March 2025 |
| mtf.api.mastercard.com | 24 March 2025 |
| stage.api.mastercard.com | 24 March 2025 |
Required Action Steps
To avoid MasterCard service interruptions, follow these steps:
1. Confirm impact with Mastercard – Contact Mastercard to verify required changes specific to your organization.
2. Assess trust store configuration – Review current Pega Smart Disputes environments to determine if Entrust CA is in use.
3. Download and install DigiCert certificates – Retrieve the DigiCert certificates, update the trust stores, and refer to “Steps to Combine Certificates for Upload to Pega Keystore Rule” below for merging multiple certificates. This ensures backward compatibility.
4. Test in lower environments (before March 24, 2025) – Validate the integration with the updated DigiCert CA in sandbox environments.
5. Schedule production updates (before April 9, 2025) – Plan and implement the update in production to ensure uninterrupted service.
6. Engage security & operations teams – Coordinate with internal security, IT, and production support teams to ensure smooth implementation and compliance.
Steps to Combine Certificates for Upload to Pega Keystore Rule:
To upload multiple certificates (DigiCert and Entrust CA) as a single entity into the Keystore rule in Pega, you may need to concatenate the certificates into a single file. Here’s how to do it:
1. Download the two new required certificates
-
Get the two DigiCert CA certificates from the Mastercard DigiCert page.
-
Download the PEM version of the certificates.
2. Retrieve the Entrust CA certificate currently in use
-
Get the keystore file (.p12) provided by Mastercard currently in use (file password will be needed).
-
Extract the Entrust certificate using OpenSSL utility:
OpenSSL utility: openssl pkcs12 -in myKeystoreFile.p12 -out entrust.crt.pem - clcerts -nokeys
3. Concatenate the new certificates into a single file
- Open a text editor (e.g., Notepad++ on Windows or nano on Linux/Mac). Maintain the order:
- DigiCert Root CA
- DigiCert Intermediate CA
- Ensure each certificate starts and ends properly.
-----BEGIN CERTIFICATE-----
(Certificate Content)
-----END CERTIFICATE-----
- Save the file as combined_certs.crt.pem.
4. Retrieve the existing private key file
- Get the keystore file (.p12) provided by Mastercard currently in use (file password will be needed).
- Extract the private key from the existing keystore using OpenSSL utility:
openssl pkcs12 -in myKeystoreFile.p12 -out mymci-api.key.pem - nocerts -nodes
5. Create the new keystore file (PKCS12 format)
- Use the following files from the previous steps:
- combined-certs.crt.pem
- entrust.crt.pem
- mymci-api.key.pem
- Generate the new keystore file (PKCS12 format) using the OpenSSL utility. This will require setting a password.
openssl pkcs12 -export -in entrust.crt.pem -inkey mymci - api.key.pem -out myNewKeystoreFile.p12 -certfile combined - certs.crt.pem -name “keyalias”
6. (Optional) Validate the new keystore file
- Extract the new DigiCert CA certificates:
openssl pkcs12 -in myNewKeystoreFile.p12 -out digicerts.crt.pem - cacerts –nokeys
- Extract the Entrust CA certificate:
openssl pkcs12 -in myNewKeystoreFile.p12 -out entrust.crt.pem - clcerts –nokeys
- Open both files (
digicerts.crt.pemandentrust.crt.pem) in a text editor and compare them with the original input certificate files to verify correctness. - Verify all entries (certificate chain and private key) in the keystore with OpenSSL to ensure everything is correctly stored and certificate chain is intact:
openssl pkcs12 -info -in myNewKeystoreFile.p12
7. Upload the new keystore file to Pega Keystore Rule
- Navigate to Records > Security > Keystore in Pega.
- Create a new Keystore record or update the existing record in use.
- Upload
myNewKeystoreFile.p12file to the Keystore record. - Save the record.
- If using an existing Keystore record, update the cache.
- In Dev Studio, run activity
Data-Admin-Security-Certificate.pxAddCertificatesToPlatformTruststore.
- In Dev Studio, run activity
- If using a new Keystore record, update the Dynamic System Setting PegaCardSDMasterCard MCOMClaimsMgrKeystore with the name of the new record. See setting the keystore name for more information.
- Test the configuration.
If, after reviewing this Support document, you have any further questions or concerns, please raise a Support ticket with Global Client Support in My Support Portal for assistance.
Resources & Additional Information:
For further details, refer to the following resources:
• Mastercard Official Release Notes: Mastercard February 6, 2025, Release Notes
• Mastercard DigiCert Root Certificates: DigiCert Root Certificates
• Pega Smart Dispute Authentication & Trust store Update Guide: Authentication Configuration for Mastercard