Guidewire server certificates

Several Certificate Authorities (CAs) provide generation and lifecycle management for the SSL/TLS certificates that are required to secure HTTPS traffic to Guidewire applications.

Mozilla Root Store

To trust Guidewire server certificates, Guidewire recommends that you use a well-known trust store such as the Mozilla Root Store.

Let's Encrypt

If downloading the trust store from the Mozilla Root Store is not an option, use the Let's Encrypt certificates.

Let's Encrypt root certificates are typically included in most operating systems and Java environments by default. They are usually pre-installed, so it is not necessary to add them to the trust store manually. If necessary, you can download these certificates from the Let's Encrypt website. Guidewire recommends that you upload the root certificates to your trust store, but not the intermediate or leaf certificates. The root and intermediate certificates are applicable for all Guidewire Cloud Platform supported regions and environments:

Guidewire recommends the ISRG Root X1 root certificate.
Intermediate certificates are usually provided as part of the TLS handshake when your Java application connects to a server. It is usually not required to download them separately, but if required Guidewire recommends Let’s Encrypt R10.

Certificate rotation

Guidewire's server (leaf) certificates expire in 90 days and Guidewire starts rotating certificates at 60 days. This process is automated, ensuring continuous availability and security of Guidewire services without requiring manual intervention on your part.