TL:DR: Signagelive needs to take action as our global root certificate will undergo changes due to the old certificate starting to be distrusted by Mozilla ahead of the expiration date. Our TLS certificate is therefore being renewed, and the new certificate will use the G2 root certificate instead of the current G1 version. The following email provides insight into the process, and guides users with either Tizen 2.4 or LG webOS 2.0 Media Players to take action.
Hello ,
We wanted to let you know that our Global Root Certificate has been changed, due to the old certificate starting to be distrusted by Mozilla ahead of the expiration date. Our TLS certificate is therefore being renewed and requires you to now take action as per this email.
Helping you with our Terms
To assist your understanding of this email, please see definitions behind some key and repeated terms used throughout this email. We hope this makes things clear for you.
G1 - Old Global Root certificate.
G2 - New Global Root Certificate
NENA - Signagelive End Point for allowing TLS 1.2 connections.
TLS - Transport Layer Security (protocol for allowing security over a network)
Background Reading
Back in 2020/21, if you were using Signagelive, you may recall a series of emails regarding our efforts in ‘Restricting the use of TLS 1.0 and 1.1 to only media players that do not support TLS 1.2 and above and preventing all other connections to our APIs from using those older protocols’.
Whilst restricting the use of TLS 1.0 and 1.1, we added the Signaglive NENA endpoints for certain Media Players to ensure their continuation of service and now we need to conduct this process again as before, but just for the LG webOS 2.0 and Samsung Tizen 2.4 devices.
We now refer back to this process in relation to the Global Root Certificate:
Why is the Global Root Certificate changing?
This change is taking place because our Global Root Certificate is being replaced with a new one by our TLS Certificate Issuer in September 2023, so we are going to renew in advance. The current certificate will become distrusted by Mozilla in 2026, so the provider is migrating all new certificates now.
Unfortunately the new root certificate is not supported on all Signagelive Media Players and so we must follow due process to mitigate any potential issues.
Whilst TLS root certificates last a very long time (ie. 10+ years) they do eventually need to be renewed and so therefore we must take this action. A root certificate is the most critical part of the SSL protocol as any certificate signed with its private key information will be trusted by all browsers readily, hence we recognise the importance of making this change.
What does this mean for your use of Signagelive?
Rest assured there’s nothing to be concerned about. Our TLS Certificate issuer is supporting us by enabling us to use both the old (G1) and new (G2) root certificates for the time being, however let’s look how the different Signagelive platform areas that will be impacted and what actions need to be taken:
Signagelive (UI) User Interface and associated API -
For our User Interface and associated API, we must switch to the new (G2) certificate as Mozilla is removing support for the older (G1) certificate. This decision is a direct consequence of the new Mozilla roots management policy that stipulates a maximum period for the use of root certificates. As of 2025, Mozilla will begin distrusting older root certificates including DigiCert ones.
Signagelive Media Players -
In relation to our Signagelive Media Players:
Existing Media Players: Some of our existing Media Players will support both the old (G1) and new (G2) certificate, however unfortunately some will only support the new (G1) certificate.
Newer Media Players: Newer Media Players may not support the old (G1) certificate and only the new (G2) version, hence Signagelive needs to implement multiple endpoints that are capable of handshaking with the correct certificates to allow no disruption to service.
Our primary endpoint eventually will be updated to the new (G2) certificate. With the old (G1) certificate however, we need to migrate older Media Players to our NENA endpoint; which includes the LG webOS 2.0 and Samsung Tizen 2.4 models.
What do the customer networks need to do?
We require users with LG webOS 2.0 and Samsung Tizen 2.4 devices to ensure they can connect to the following IP Addresses and Domains ahead of the proposed dates below. Failure to do so could result in your devices not being able to connect to the Signagelive service.
The new IPs and domains are:
134.213.79.62
nena-playerapi.signagelive.com
nena-smilapi.signagelive.com
nena-go.signagelive.com
nena-m2m.signagelive.com
nena-playerdataapi.signagelive.com
nena-screenshotuploadapi.signagelive.com
nena-roombookingapi.signagelive.com
nena-wbtapi.signagelive.com
nena-weatherapi.signagelive.com
Nena-static.signagelive.com
Is there a timetable for this process?
Yes; our TLS certificate expires in September 2023, so we are renewing early and will be following this events schedule:
June 2023 - Signagelive to renew the TLS certificate, and set the User Interface to use the new certificate with the G2 root, and Players to use a version of the certificate using the G1 root certificate.
June 2023 - Signagelive Support will begin to connect with both impacted LG webOS and Tizen 2.4 users that will be required to ensure these IP addresses are allowed.
October 2023 - Signagelive migrate LG webOS 2.0 to NENA.
October 2023 - Signagelive migrate Tizen 2.4 to NENA.
November 2023 - Signagelive to switch all Non-NENA Players to use the TLS certificate using the G2 root.)