Note: If you recently received an email from Blackbaud asking you to contact DigiCert to complete verification steps please complete this as soon possible. DigiCert is available 24x7 and can be reached at 1-800-896-7973. Be sure to have the certificate details from the email you received to use as a reference. After you complete the call, you do not have to take any further action.
Have you seen a "Not Secure" message appear on your website or seen it more frequently as you browse the web using Chrome, Firefox or Safari browsers? These sites haven't suddenly been hacked; this new security marking is part of an effort started by Google to increase website security. By gradually changing the security markings on websites, they hope to compel website owners to use HTTPS encryption to tighten up security on their sites.
Per a recent Google blog post on the topic:
"Eventually, our goal is to make it so that the only markings you see in Chrome are when a site is not secure, and the default unmarked state is secure. We will roll this out over time, starting by removing the “Secure” wording in September 2018. And in October 2018, we’ll start showing a red “not secure” warning when users enter data on HTTP pages.
In October’s version of Chrome (70), you’ll see a red “not secure” notification when you enter data on an HTTP page."
What is Blackbaud doing?
For Luminate Online: Blackbaud is addressing it by updating the certificates that are associated with the secure[2,3].convio.net domains.
For Blackbaud NetCommunity and Blackbaud Internet Solutions: Blackbaud is updating all certificates in advance that have been purchased through Blackbaud.
For all other hosted products, including but not limited Sphere, eTapestry, Online Express, Blackbaud Hosting etc: Blackbaud is updating all impacted certificates in advance.
What do I need to do as a Luminate Online client?
If you do not have a custom secure domain, then you don’t have to do anything. Blackbaud and the Luminate Online hosting team will ensure that our certificates are updated properly.
You will need to renew your SSL certificate before April 2018 if you haven’t renewed since June 1, 2016 (which you likely have as it is a yearly renewal process),
if you have renewed your certificate between June 1, 2016 and Dec 1, 2018 (with a Symantec issued certificate) you will need to renew again before October 23.
How is DigiCert handling this with Symantec? Is it possible that I'll have to do nothing with a newer (issued after June 2016). DigiCert has their current plans outlined here.
Symantec and Symantec sub-brands make up the current SSL options for Luminate Online: Verisign/Norton, Geotrust, Thawte - so what do I renew with?
Going forward, the certificate ownership of Symantec has been sold to DigiCert. Any new certificates for custom secure domains for Luminate Online should be purchased via DigiCert, and any renewals for Verisign/Norton, Geotrust or Thawte will actually be DigiCert certificates.
How Do I Get Rid of This Message in Luminate / TeamRaiser?
Luminate Online and TeamRaiser have always used HTTPS encryption on transactional pages, so your donation and registration forms are not affected by this change. A recently released update now allows you to also secure non-form pages with HTTPS.
This update, which we call "Secure Luminate", will redirect pages from HTTP to HTTPS - and eliminate "Not Secure" messages from most of your Luminate and TeamRaiser pages. It's important to know that website content updates may be required. Any hard coded links that point to HTTP content may need to be updated. You can read more about that process here: Luminate Online - Secure Readiness and Information.
Secure Luminate can be activated by contacting Support and referencing KB 117976.
Do You Need a Custom Secure Certificate Now?
To encrypt a website with HTTPS requires a secure certificate - an "SSL certificate" - that confirms your identify as a provider of content for your URL. Most Luminate customers use a shared Blackbaud SSL certificate, which is why your payment form pages might have the URL secure2.convio.net or secure3.convio.net.
If you use the shared Blackbaud secure certificate, switching to HTTPS for most of your webpages will cause all of them to display the secureX.convio.net URL rather than your own nonprofit URL.
To maintain branding on these pages, you need to add a custom SSL certificate. This will change the URL on all HTTPS pages (including payment pages) from secureX.convio.net to something like "secure.YourNonprofitURL.org".
Ask Support or Customer Success about adding a custom SSL certificate and reference KB 118032.
What do I need to do as a Luminate CMS client?
- LCMS secure will be available in the upcoming LCMS release (TBD) and will allow LCMS clients to serve their pages via HTTPS. Updates will be shared as they become available.
- LCMS customers must have a custom SSL certificate. Please refer to KB 118032 if you would like to request a custom SSL certificate.
- Switching to LCMS secure doesn't require a relative/hard-coded URL review; LCMS has a "search and replace" feature in the event the customer receives a mixed content warning.
What do I need to do as a Blackbaud NetCommunity and Blackbaud Internet Solutions client?
After Blackbaud has initiated the update process, you will be contacted by Geotrust to authorize the update/renewal. Once you authorize the renewal, Blackbaud will receive and update the certificate.
If you have a self-provided certificate not purchased through Blackbaud for your hosted Blackbaud NetCommunity/Internet Solutions website, due to a change in our hosting policy, Blackbaud no longer accepts client provisioned certificates. You will need to contact Support and request a re-issue for the certificate of the affected domain.
- We will order a new cert for you that covers the remaining time on your existing cert.
- You will need to validate the request, when GeoTrust/Symantec/Digicert contacts you.
- We will install it as soon as we receive notification from GeoTrust that validation/verification has been completed.
- It's a zero cost value add for Blackbaud in install the re-issued certificate to your existing hosting services.
- NOTE: This only applies to a re-issue related to Google distrusting Symantec certificates.
- In the future, you will not have to worry about going through the renewal process as we will track, order, and install the certificate.
- NOTE: You will receive a renewal email from Digicert/GeoTrust, prior to an SSL certificates expiration date that requires authorization/validation before we can proceed with the renewal.
- An expired cert will discourage donations.
- If the cert expires we will fail our PCI compliance audits.
For all other hosted products, including but not limited Sphere, eTapestry, Blackbaud Hosting etc: No action is needed.
How can I check to see if my certificate will be impacted?
If you load your site in Google Chrome, right click anywhere and select “inspect element” this will bring up the web developer console. Once that appears, click on the “Console” tab. If your certificate needs to be updated, there will be a message there “ The SSL certificate used to load resources from https://secure2.convio.net will be distrusted in M70. Once distrusted, users will be prevented from loading these resources. See https://g.co/chrome/symantecpkicerts for more information.”