19 May 2021
Following global best practices in data security, Yieldbroker requires the use of SSL/TLS certificates to encrypt all inbound and outbound traffic.
To ensure continued access to the Yieldbroker DEBTS platform and other key services that we provide to your organisation, you will need to install a new Root Certificate for all users.
Root Certificate: Let’s Encrypt X1
Yieldbroker's server certificates are currently signed by the Let's Encrypt R3 intermediary certificate which is signed by the DST Root CA X3.
The Root CA - DST Root CA X3 (https://crt.sh/?id=8395) will no longer be valid after "Sep 30 14:01:15 2021 GMT". Any certificates that are linked to this root will not be able to be verified.
To support this change, we are moving to a different version of the Let's Encrypt R3 intermediary certificate, which is signed by ISRG Root X1 instead of DST. The ISRG Root X1 certificate is valid 4 June 2035.
Please note that the ISRG Root X1 is relatively new (issued in 2015) and was not included in older versions of Operating Systems. We strongly recommend that any user or system that connects to Yieldbroker to please check to ensure that the ISRG Root X1 is installed in their OS or FIX setup including both production and test systems. If this is not installed, the self-signed certificate can be downloaded from the Let's Encrypt website.
Let’s Encrypt’s information page can be found via this link: https://letsencrypt.org/certificates/.
Yieldbroker will be making this change by via a phased approach:
- 1 May: We have set up https://office.yieldbroker.com/ as a test site. Please point your browser there to confirm it works (NB: you will receive a diagnostic page of the request).
- 1 June: We will be installing a new certificate for https://uat.yieldbroker.com. Please try to launch UAT DEBTS (if you have it installed).
- 15 June: We will be installing a new certificate for https://simulation.yieldbroker.com. Please try to launch Yieldbroker DEBTS connecting to the Simulation environment.
- 1 July: We will be installing new certificates on our UAT and SIM FIX and MarketData service uatfix.yieldbroker.com and simfix.yieldbroker.com.
- 1 August: We will be installing our new certificates on our production environment https://trading.yieldbroker.com, https://www.yieldbroker.com, https://client.yieldbroker.com and fix.yieldbroker.com.
How You Can Help
To ensure continued access to the Yieldbroker platform please:
- Test that your system is able to verify connectivity to the test sites as soon as possible and by no later than 31/07/2021.
- Ensure best practices for securely connecting to Yieldbroker services, please trust the Root Certificate.
- Check with your organisation’s security team and review your policies for managing Root CAs and/or how to certify vendor services.
- Update for all users once tested and verified.
Please note that we renew our certificates every 60 - 90 days. Whilst linking to the server certificate is valid, the certificate life is only a maximum of 90 days.
Operating System Requirements
- Windows / DEBTS users, please make sure you have the latest Root CA patch. This will ensure that the ISRG Root X1 is installed. You can verify here https://valid-isrgrootx1.letsencrypt.org/.
- Linux users, please ensure that you have the latest Root CA package and confirm that the ISRG Root X1 certificate is installed.
- Java uses its own root certificate store. Please use the latest version of Java or install the ISRG Root X1 root certificate.
- Stunnel users, please create a file with both the DST Root CA X3 and ISRG Root X1 included, use the PEM encoded files and trust those two Root CAs.
Yieldbroker’s long-term plan is to move to the Let’s Encrypt E1 or E2 signing certificates as this moves off RSA style keys onto ECDSA style keys.
Platforms that trust ISRG Root X1
- Windows >= XP SP3 (assuming Automatic Root Certificate Update isn’t manually disabled)
- macOS >= 10.12.1
- iOS >= 10 (iOS 9 does not include it)
- iPhone 5 and above can upgrade to iOS 10 and can thus trust ISRG Root X1
- Android >= 7.1.1 (but Android >= 2.3.6 will work by default due to our special cross-sign)
- Mozilla Firefox >= 50.0
- Ubuntu >= xenial / 16.04 (with updates applied)
- Debian >= jessie / 8 (with updates applied)
- Java 8 >= 8u141
- Java 7 >= 7u151
- NSS >= 3.26
If you have any questions please contact the Yieldbroker Helpdesk.
Phone (within Australia): 1800 220 550
International: +61 2 9994 2890
London Desk: +44 203 769 0355