ISSUE:
Replacement of SSL certificates on the Treasury Website
SYSTEMS/PROCESSES IMPACTED:
Scripts and other automated processes that download OFAC's list-related data products; browsing OFAC's website (depending on browser used and its configuration).
WARNING:
Failure to act on the advice provided in this notice may prevent SDN (and other list) screening systems from properly updating.
DESCRIPTION AND REMEDY:
The US Department of Treasury is initiating the annual renewal of the public certificate securing www.treasury.gov website, including OFAC sanctions list downloads. The existing certificate (expiring August 26, 2022) will be replaced on May 26, 2022 at 9PM. This process will take roughly 3-6 hours for the replacement certificate to be distributed worldwide.
In addition, this year's certificate will be updated with new TLS and Cipher settings, notably TLS 1.0, TLS 1.1 support will be removed.
Protocols Supported: TLS 1.2, TLS 1.3
Ciphers Supported:
- TLS-AES-256-GMC-SHA384
- TLS-CHACHA20-POLY1305-SHA256
- TLS-AES-128-GCM-SHA256
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-ECDSA-AES128-GCM-SHA256
- ECDHE-RSA-AES256-GCM-SHA384
- ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-ECDSA-CHACHA20-POLY1305
- ECDHE-RSA-CHACHA20-POLY1305
If your application pins or otherwise trusts the serial number of the existing certificate as part your application functionality, you may need to update your configuration to trust the renewed certificate. The renewed public certificate, effective May 26, 2022 at 9PM, can be downloaded via the following URL, https://s3.amazonaws.com/www.treasury.gov-2022-certificate/www.treasury.gov-2022-2023-Renewed-Certificate.cer.zip. To prevent loss in functionality, please ensure your applications trust this certificate, and are configured to accept encrypted connections using the updated TLS protocols and ciphers by the May 26 replacement date.
Please contact OFAC technical support at 1-800-540-6322 Option #8 or O_F_A_C@treasury.gov with any questions that you may have about this change.