Upcoming TLS Certificate Rotation
Incident Report for Smarty
On April 17, 2023 the current certificate for *.api.smartystreets.com will expire. This certificate was issued by Sectigo (previously known as Comodo) and is chained to the root certificate "USERTrust RSA Certification Authority".

On March 21, 2023 at 12pm Eastern Time (approximately 2 weeks hence), we will begin the process of rotating out this soon-to-expire certificate with a newer certificate issued by a service chained to one of our trusted certificate authorities, as listed in our documentation [1]. Specifically, we intend to begin using certificates issued by various ACME-compliant certificate providers. In this case we will begin using certificates with the industry standard 90-day expiration from a company called ZeroSSL. These new certificates will continue to be chained to the same root CA as our soon-to-expire certificate issued by Sectigo.

Following this, on April 18, 2023 we will begin to introduce certificates issued by Let’s Encrypt (chained to “ISRG Root X1”) and Google (chained to various "GTS Root" certificates).


Q: Will I need to take any action?
A: If you are "pinning" our certificate (meaning hard coding the certificate into your application, runtime (e.g. Java), or operating system "trust store"), yes. Please be aware that our certificates will now rotate on a much more frequent basis. In the past, the certificates were rotated yearly. Now they will be rotated at least every 60 days and often as frequently as every 30 days.

Further, if you are manually curating which root certificate authorities you allow into your trust store, you will need to ensure that those listed in our documentation [1] are added to your trust store.

Q: Why rotate the certificates so frequently? Isn’t that insecure?
A: It is considered an industry best practice to rotate certificates as frequently as reasonably possible. Doing so actually increases security and drastically decreases the likelihood of private key exposure. All automated (ACME-based) certificate providers typically have certificates expire after 90 days. In fact, in 2020 Apple began to enforce a 397 day limit on all certificates meaning that those with an expiration longer than 1 year and 1 month would be considered invalid. In other words, certificates with longer expiration dates are now considered to be less secure than those with shorter expiration dates.

Q: What if I have more questions.
A: Please reach out to our support team for further clarification if you have any questions on the matter.

[1] https://www.smarty.com/docs/cloud/requirements#trusted-authorities
Posted Mar 10, 2023 - 17:40 UTC
This incident affected: US Autocomplete API, US Autocomplete Pro API, Account Management Portal, Public Website, Forward Proxy API, US Extract API (us-east, us-central, us-west), US ZIP Code API (us-east, us-central, us-west), International Street API (us-east, us-central, us-west), and US Street Address API (us-east, us-central, us-west).