19 May 2021

Following global best practices in data security, Yieldbroker requires the use of SSL/TLS certificates to encrypt all inbound and outbound traffic.

To ensure continued access to the Yieldbroker DEBTS platform and other key services that we provide to your organisation, you will need to install a new Root Certificate for all users.

Root Certificate: Let’s Encrypt X1

Yieldbroker's server certificates are currently signed by the Let's Encrypt R3 intermediary certificate which is signed by the DST Root CA X3.

The Root CA - DST Root CA X3 (https://crt.sh/?id=8395) will no longer be valid after "Sep 30 14:01:15 2021 GMT". Any certificates that are linked to this root will not be able to be verified.

To support this change, we are moving to a different version of the Let's Encrypt R3 intermediary certificate, which is signed by ISRG Root X1 instead of DST. The ISRG Root X1 certificate is valid 4 June 2035.

Please note that the ISRG Root X1 is relatively new (issued in 2015) and was not included in older versions of Operating Systems. We strongly recommend that any user or system that connects to Yieldbroker to please check to ensure that the ISRG Root X1 is installed in their OS or FIX setup including both production and test systems. If this is not installed, the self-signed certificate can be downloaded from the Let's Encrypt website.

Let’s Encrypt’s information page can be found via this link: https://letsencrypt.org/certificates/.

Our Plan

Yieldbroker will be making this change by via a phased approach:

How You Can Help

To ensure continued access to the Yieldbroker platform please:

  1. Test that your system is able to verify connectivity to the test sites as soon as possible and by no later than 31/07/2021.
  2. Ensure best practices for securely connecting to Yieldbroker services, please trust the Root Certificate.
  3. Check with your organisation’s security team and review your policies for managing Root CAs and/or how to certify vendor services.
  4. Update for all users once tested and verified.

Please note that we renew our certificates every 60 - 90 days. Whilst linking to the server certificate is valid, the certificate life is only a maximum of 90 days.

Operating System Requirements
  • Windows / DEBTS users, please make sure you have the latest Root CA patch. This will ensure that the ISRG Root X1 is installed. You can verify here https://valid-isrgrootx1.letsencrypt.org/.
  • Linux users, please ensure that you have the latest Root CA package and confirm that the ISRG Root X1 certificate is installed.
  • Java uses its own root certificate store. Please use the latest version of Java or install the ISRG Root X1 root certificate.
  • Stunnel users, please create a file with both the DST Root CA X3 and ISRG Root X1 included, use the PEM encoded files and trust those two Root CAs.

Yieldbroker’s long-term plan is to move to the Let’s Encrypt E1 or E2 signing certificates as this moves off RSA style keys onto ECDSA style keys.

Let's Encrypt Hierarchy as of January 2021

Platforms that trust ISRG Root X1

From https://letsencrypt.org/docs/certificate-compatibility/:

If you have any questions please contact the Yieldbroker Helpdesk.

Phone (within Australia): 1800 220 550
International: +61 2 9994 2890
London Desk: +44 203 769 0355
Email: helpdesk@yieldbroker.com

We connect over 190 major global financial institutions that collectively help to shape Australia’s financial markets every day. Learn how you can be a part of our network.