L2L SSL Certificate Renewal Guide

Introduction

At L2L, we prioritize the security and reliability of our services. As part of our commitment to maintaining a secure environment for our customers, we conduct an annual renewal of our SSL (Secure Sockets Layer) certificates. This document outlines the SSL Certificate Renewal Process, ensuring that your integrations, such as Single Sign-On or other third-party systems, continue to operate without interruption.

SSL Certificate Renewal Process

Overview

Our SSL Certificates are renewed annually to ensure enhanced security for our communications and services. We use a wildcard certificate to secure multiple subdomains under a single SSL certificate, simplifying management and deployment. Here’s what you need to know about the renewal process:

This SSL certificate renewal will specifically affect customers in the following scenarios:

• Using SSO (Single Sign-On) for logins. (If your organization uses Single Sign-On with L2L, this update is generally not something that requires manual certificate installation by default. In most standard SSO/SAML setups, the certificate is handled as part of the normal trust chain.)
• Having integration with 3rd parties using the L2L API and performing SSL verification in the process. (For standard integrations using the L2L API, we do not expect customers to need any changes. Most integrations rely on standard SSL validation and will continue to work normally. You would only need to take action if your team intentionally configured a custom SSL verification process, certificate pinning, or a manually managed trust store. If that is the case, your IT or integration team would typically already know that this applies to your environment.)
• Utilizing custom L2L Studio applications with the L2L Login Plugin. (This scenario is valid, but only for customer-managed applications. If your team built and maintains a custom Studio application that uses the L2L Login Plugin, your team may need to review and update the certificate as needed.  If the Studio application was built and is maintained by L2L Technical Services, then no action is required from your side for this item.)

In summary:

• If you are using standard L2L functionality and standard integrations, you most likely do not need to do anything.
• If you fall into any of the categories above, it is imperative to take action to update your systems with the new SSL certificate to avoid any service interruption.   
• If your IT team is unsure whether any of these special cases apply, the best question to ask internally is:
  “Did we manually install, pin, or explicitly trust the L2L SSL certificate anywhere in our environment?”
  If the answer is no, then no action is likely needed.

Timeline

1. Reminder Communication:
   L2L will communicate to all customers detailing the dates and process one month before the renewal will happen
   
    

2. Availability of New SSL Certificate:
   The new SSL Certificate will be available for download two Mondays before the expiration date of the current certificate at https://l2ltest-l2l.leading2lean.com.

3. 2nd Reminder:
   A follow-up communication will be sent on the Friday before the Monday when the sites will switch to the new SSL Certificate.
   
    
4. Switch to New SSL Certificate:
   All domains will transition to the new SSL Certificate on the last Monday before the current certificate's expiration date.

5. Completion Confirmation:
   After the SSL update has been completed, L2L will send a completion and confirmation message to all customers, including information about the next expiration date.

How to Download the New SSL Certificate - YOU DO NOT NEED TO LOGIN TO VIEW THE CERT

Using a Chrome Browser:

• Visit the SSL Certificate download page: https://l2ltest-l2l.leading2lean.com
• Click on the padlock icon next to the URL in the address bar.
• Navigate to the "Certificate" (valid) section.
• In the Certificate window, go to the "Details" tab and click on 'Export' to start the certificate export wizard.
• Follow the wizard steps to save the SSL Certificate file on your computer.

Using Microsoft Edge Browser: 

• Visit the SSL Certificate download page: https://l2ltest-l2l.leading2lean.com
• Click on the padlock icon next to the URL in the address bar.
• Navigate to Connection is Secure>
• In the Certificate window, go to the "Details" tab and click on 'Export' to start the certificate export wizard.
• Follow the wizard steps to save the SSL Certificate file on your computer. 

Using curl:

curl -o l2l_certificate.pem https://[SUBDOMAIN].leading2lean.com

Replace l2l_certificate.pem with your desired file name. This command downloads the certificate to your specified file.

How to Check the Expiration Date of a Certificate

You can check the expiration date of your SSL certificate using the following command in your terminal or command prompt:

openssl x509 -noout -dates -in l2l_certificate.pem

Replace l2l_certificate.pem with the path to your certificate file. This command will display the notBefore and notAfter dates, which indicate the certificate's validity period.

Important Note for Corporate Networks with Deep Packet Inspection (DPI)

If you are accessing the SSL Certificate from a corporate network that uses Deep Packet Inspection, your system may not retrieve the original L2L SSL Certificate but instead an intermediary certificate generated by your company's security infrastructure. To verify the authenticity of the downloaded certificate:

1. Check the Certificate Authority (CA): Open the Downloaded Certificate. Look for the issuer (CA) that signed the certificate.

2. Verify the CA: If the CA is a well-known, globally recognized certificate authority (DigiCert, GlobalSign, Sectigo, USERTrust, Let's Encrypt) the certificate is valid. If the CA is an internal or autogenerated certificate, you may not have received the original.

3. Solution: To ensure you have the correct SSL Cert, try downloading it from a network outside of your corporate environment, such as a personal internet connection or request the certificate from your IT team.

How to Check the Expiration Date of a Certificate Using Chrome Browser

Checking the expiration date of an SSL certificate directly from your Chrome browser is a straightforward process. Here’s how you can do it:

1. Open the Website:

• Navigate to the website for which you want to check the SSL certificate in your Chrome browser.

2. View the Certificate:

• Click on the padlock icon located on the left side of the address bar. This indicates a secure connection.

3. Certificate Information:

• After clicking the padlock icon, a menu appears. Click on "Certificate" to view detailed information about the site's SSL certificate.

4. Check Expiration Date:

• In the Certificate window, you will see several tabs such as "General", "Details", and "Certification Path". Under the "General" tab, look for the "Valid from" dates. This shows the range of dates for which the certificate is valid, including the expiration date.

Example Timeline (1)

If the current SSL certificate expires on November 30th Thursday, the timeline will be as follows:

• New SSL Certificate Available: November 13th (two Mondays before November 30th).
• Switch to New SSL Certificate: November 27th (the last Monday before November 30th).
• Reminder Emails: First reminder sent earlier in November, with a follow-up reminder on November 24th (Friday before the switch).
• Completion Confirmation: Email sent shortly after November 27th, including the next expiration date.

Example Timeline 2 (Expiration Date on a Monday)

If the current SSL certificate expires on December 4th, Monday, the timeline for the renewal process will be adjusted slightly due to our policy of switching to the new certificate on the last Monday before the expiration. Here's how it works in this scenario:

• New SSL Certificate Available: November 20th (two Mondays before December 4th).
• Switch to New SSL Certificate: November 27th (the Monday immediately preceding the expiration date of December 4th).
• Reminder Emails: The first reminder is sent earlier in November, with a follow-up reminder on November 24th (Friday before the switch).
• Completion Confirmation: An email is sent shortly after November 27th, detailing the completion of the SSL update and including the next expiration date.

This example illustrates the process when the certificate's expiration date falls on a Monday, necessitating the renewal to be completed the previous Monday to ensure continuous security and service integrity.

Conclusion

The annual renewal of our SSL certificates is a critical process to ensure uninterrupted and secure service. By following the outlined steps to download and update your SSL certificate, you can ensure that your integrations with L2L continue to function seamlessly. Should you have any questions or require assistance, please do not hesitate to contact our support team.

Thank you for your attention to this important process and your continued partnership with L2L.

FAQ's

Is this related to the remote certificate that we use in our Ignition system? Normally Ignition should work fine without installing any certificate, however, internal security can sometimes intercept the certificate verification and may require them to install one.

https://docs.inductiveautomation.com/docs/8.1/platform/security/security-certificates#adding-security-certificates-into-keystores

Do I need a new API Key or Auth Key? NO.

How to know if you need to update your SSL?

The way that it works is like this. Our certificate is issued by Sectigo and the Sectigo certificate is approved down the chain by generic and always known certificate authorities, which provide and distribute certificates. Those certificate authorities are already embedded on the operating system and on the browsers.

As AAA Certificate Services and User Trust certification authority is known by all up-to-date browsers and operating systems, you don't need to do anything. If the browser sees a new certificate for a site, it goes back to those certificate authorities and verifies the validity of the certificate so normally you don't need to do anything.

If you are using an internal root certificate, that means your own certificate authority on their firewall, based on your security policies, you will not see Sectigo as the issuer to our own certificate. You will see your own firewall's certificate authority name, at that point; you will need to update it to the new Cert.