Your data. Anywhere you go.

New Relic for iOS or Android


Download on the App Store    Android App on Google play


New Relic Insights App for iOS


Download on the App Store


Learn more

Close icon

Updates to the SSL certificates for nr-data.net and service.newrelic.com

rfb

#1

What is the update?

Following industry best practices, New Relic secures communications between customers and our infrastructure using TLS. Previously we have used Symantec’s GeoTrust as our certificate provider and will be transitioning to Digicert. This is in response to Chrome’s decision to distrust Symantec issued certificates.

When is the update taking place?

On Tuesday, February 27 at 1PM PT we will update the SSL certificates for * .nr-data.net and * .service.newrelic.com.

Why are we making this update?

SSL Certificates have a specific period of validity and must be replaced every couple years if not sooner. The certificates noted above are the first round of certificates we will update to meet the Chrome 70 Beta release deadline.

How will this impact New Relic users?

There should be little to no impact to customers.

If customers visiting your website are using older versions of Windows XP or previous versions of Windows, they may see an additional security certificate warning popup. However, these customers are likely already seeing certificate warnings from other websites due to the security certificates that are accepted by their operating system.

Questions?

If you have additional questions, please comment below!

Thank you for your patience and understanding while we continue to provide a better user experience.


Chrome Certificate Update
Browser metrics (bam.nr-data.net) SSL Cert
Recent Google Chrome Beta browser showing warning regarding nr-data.com PKI certs
#2

#3

Great that y’all are getting on top of this. Are y’all aware of the Certificate Transparency requirement that Chrome is going to start enforcing? Luckily for you, Digicert is very good about this (I use them) and can easily issue a duplicate that has CT turned on. It appears that it isn’t on the new cert you are using. Probably also want to look into OCSP Stapling, HSTS, and CAA to make sure that no one is trying to pull the scripts insecurely or trying to spoof you.

I imagine that this and the agent scripts would be prime targets for spoofing as they are so prevalent. The more you can do to guarantee that what the browser asks for is actually legit, the better.


#4

Thanks for jumping in and letting us know about these options and for offering suggestions, @AllCare!

Our customers take such good care of us. :blush:


#5

For any other devs out there that saw this and scrambled a little…free certs from LetsEncrypt include Certificate Transparency!


#6

@mjackman Yep, just about all should at this point. I just mentioned Digicert since New Relic’s new cert is from there. I guess I wasn’t being explicit enough in my response!


#7

It’s my understanding CT only applies to certificates issued after April 30, 2018 so any existing certificates should be unaffected which will help bide time for some.