Walter Poupore - MSFT


On February 21, 2007 at 7:00 P.M. Pacific time, the Microsoft adCenter API production environment will receive updated Secure Sockets Layer (SSL) certificates. This maintenance will take approximately 1 hour. The maintenance is necessary because the existing production SSL certificates are set to expire on February 23, 2007.

We recommend that you do not run your adCenter API applications during the upgrade. After the upgrade, we believe that applications written in languages other than Java will not require any other action, but you should test your applications to make sure they work after the upgrade. There is no effect on the sandbox environment for this upgrade.

If you are using Java, you must take the following action AFTER the upgrade. First, download the updated production SSL certificate. The process for downloading the certificate depends on which type of Web browser you are using. These instructions are for Microsoft Internet Explorer 5.5 or later versions.

1) Open Internet Explorer and connect to https://adcenterapi.microsoft.com/V3/administration/administration.asmx wsdl

2) In Internet Explorer 6, double-click the lock icon in the status bar, or in Internet Explorer 7, click the lock icon and then click View Certificates.

3) Select the Certificate Path tab and make sure that the adcenterapi.microsoft.com certificate is selected.

4) Select the Details tab, and then click the Copy to File button.

5) In the Welcome to the Certificate Export Wizard, click Next.

6) Select either the DER or the Base-64 encoding scheme. Both choices are acceptable.

7) Type a name for the file, and then click Next. For example, use msft_adcenter_prod.cer for the file name.

8) Click Finish.

Notice that you do not have to import a certificate from every production Web Services Description Language (WSDL) file. The certificate from one production WSDL file will let you access any production WSDL file, as the production WSDL files use the same certificate.

As the adCenter SSL Certificate is not among the certificates included in the Java keystore, you have to manually register the adCenter SSL Certificate as a valid certificate using the keytool command. When you use the keytool command, you will be prompted for a password. The default cacerts keystore password is "changeit". However, check with your system administrator as the password may have been changed. For more information about the keytool tool, see http://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/keytool.html.

1) Open the directory where you saved your downloaded certificates.

2) Delete the existing Microsoft adCenter API production certificate from the Java key store. You can use the keytool command together with the -list verb to list the existing certificates. For example, after changing the path of the JRE cacerts file to match your system, run this command:

keytool -list -keystore %JavaHome%\jre\lib\security\cacerts

3) Within the list of certificates, locate the certificate you used for the adCenter production environment. After you identify the alias of that certificate, delete the certificate by using the keytool command and the -delete verb. The alias field should match the alias of the existing adCenter API production certificate in your Java key store.

keytool -delete -alias MSFT_old_cert -keystore %JavaHome%\jre\lib\security\cacerts

4) Import the new certificate by using the keytool command with the -import verb.

keytool -import -alias MSFT_adcenter -file msft_adcenter_prod.cer -keystore %JavaHome%\jre\lib\security\cacerts

Retest your Java application after taking these steps.

Thank you,

The Microsoft adCenter API Group




Re: adCenter API Production SSL Certificate Change February 21, 2007

Marc S


This is not acceptable.

6 hours notice for a change that requires deploying new code on the client side to update a certificate

There have been at least 4 times over the past few months when you have told developers that you are deploying a new certificate that isn't signed by a recognized CA, and they need to manually import it.

Can you please just start using certificates properly signed by a recognized authority so that we don't have to jump through these hoops





Re: adCenter API Production SSL Certificate Change February 21, 2007

Shai Kariv - MSFT

Apologies for the late notice.

We believe that only Java developers need to manually import the certificate, as other programming environment will automatically do this when detecting a new certificate on the server. So ití»s not a matter of certificates not being signed properly, ití»s a matter of deploying new certificates, due to expiration of existing ones or new requirements (like requiring secure downloads of reports, which we started to enforce a few weeks ago).

Sorry again for the inconvenience, we will look into improving this process in the future.

Shai






Re: adCenter API Production SSL Certificate Change February 21, 2007

Marc S

I can assure you that as long as the certificate is properly signed, there is no need to manually import the certificate in Java.

The Yahoo Overture, Yahoo Panama, and Google equivalents of your APIs have not required any such manual work within the last several years that we have been using them daily (well, except Panama which is fairly obviously).

I'm not sure what the problems have been with your certificates; maybe they have been signed by an authority that is microsoft specific and the world at large doesn't recognize, maybe something is odd about their format.

Thanks for looking at making this less of a headache.




Re: adCenter API Production SSL Certificate Change February 21, 2007

Shai Kariv - MSFT

Thanks Marc. I believe we had it now fixed. Let me know if you still experience problems. I am not going to anounce it broadly outside this forum, until I hear from several people that it actually worked smoothly for them.

Thanks for pushing on this issue, it helps us to improve!





Re: adCenter API Production SSL Certificate Change February 21, 2007

Marc S

I'll let you know, thanks. I'm going to be out next week so I won't be able to verify this until after then.

Thanks!




Re: adCenter API Production SSL Certificate Change February 21, 2007

Walter Poupore - MSFT

Here is a new related post for the adCenter SSL certificate in Java environments: http://forums.microsoft.com/MSDN/ShowPost.aspx PostID=1265309&SiteID=1

Walter Poupore
Programming Writer
Microsoft adCenter