API Access - HTTPS cert switch to SHA256

Published on 06 January 2015

HTTPS Security Certificate Switch from SHA-1 to SHA-256 hash algorithms

Security best practices are always evolving - it is how we stay one step ahead of people with malicious intent and keep your data as secure as possible. Many of the big players on the web - Google and Microsoft among others, are requiring that certificates with SHA-1 hash algorithms be swapped out for ones with SHA-256. As computing power becomes cheaper, the older SHA-1 algorithm is deemed less secure than it was a few years ago, so Smartsheet has opted to follow suit  and has updated our HTTPS certificates - including the ones for api.smartsheet.com.

What does this mean to you, a developer?

For most of you, this will be good news because it means your data is more secure than before and won't affect you at all. Some, unfortunately, may have issues connecting to our service due the change in certificates. We have already seen issues with some versions of openJDK and older versions of Python. There are likely other clients as well that we don't yet know about that will reject the certificate.

What do I do if I am affected?

The root of the problem is typically that the root certificate is signed by a newer certificate authority that some older clients don't recognize. You'll need to acquire the root certificate and add it to your client in such a way that it will trust it. You can get a copy of the certificate using a browser or by following the instructions of the fine folks at serverfault.com. 
For openJDK, we were able to solve the issue by taking a different approach - we noticed that the Oracle JDK didn't have any issues connecting, so we simply replaced the cacerts file in openJDK with the one from Oracle. The ca certs file can be found in /jre/lib/security/cacerts.

If you come across this issue and run into a roadblock, please reach out to us at api@smartsheet.com. If you are able to solve your particular scenario, we'd like to hear from you too so we can share it to the rest of the community.

comment

Comments