Our SSL provider, Sectigo, has migrated its signing infrastructure to a new, more secure Public Server Authentication Root (R46). The new root certificate replaces the older trust chain based on AAA Certificate Services and USERTrust RSA Certification Authority.

How does it impact users?

Due to this change, if you are accessing Kissflow through systems that cannot receive OS/browser updates regularly (for example, legacy servers, embedded devices, or isolated environments) you may encounter one of the following SSL trust errors. This means you will no longer be able to access Kissflow.

In legacy environments/servers:

• SSL handshake failure

• SSL connection failed

• ERR_SSL_PROTOCOL_ERROR

In older browsers:

• NET::ERR_CERT_AUTHORITY_INVALID

• Your connection is not private

This occurs because those environments still rely on the older certificate trust path, that is, AAA Certificate Services  →  USERTrust RSA Certification Authority → Sectigo.

Deadlines for SSL certificate renewal

If you are on the Kissflow.eu domain

Update the new SSL certificate by February 13, 2026.

If you are on the Kissflow.com domain

Update the new SSL certificate by February 27, 2026.

After the mentioned dates, only the new Sectigo root (R46) will be supported and trusted.

How to verify if your environment is compliant with the new root certificate

To verify if your system trusts the new certificate, you can perform one of the following checks using:

• A web browser.

• OpenSSL.

Note:
You must run these tests from the specific browser or environment you use to access Kissflow.

1. Using OpenSSL

Run the following command from a terminal

openssl s_client -connect sectigo.com:443 -showcerts

If your root certificate is updated, your output will look like this:

Issuer: Sectigo Public Server Authentication Root R46

Verify return code: 0 (ok)

This means your environment trusts the new certificate chain. No further action is needed from your end.

If your output does not return 0, then you need to import the new Sectigo R46 SSL certificate into your system.

2. Using a web browser 

1. Open https://www.sectigo.com/.

2. Click the padlock icon

    → Certificate viewer → Details.

3. Check if the root certificate listed is Sectigo Public Server Authentication Root R46.
   If the root is not R46, you must import the new Sectigo R46 SSL certificate.

The following browser and operating system versions natively support the new Sectigo Root R46 certificate.

If you are using a version older than these, you must either update the browser/OS, or manually import the new certificate to your operating system’s trust store.
We strongly recommend performing a verification check even if your systems meet the minimum requirements.

Importing the new Sectigo R46 SSL certificate

If your systems cannot receive OS/browser updates regularly (for example, legacy servers, embedded devices, or isolated environments), you have to manually install the new R46 root certificate into your system’s trusted root store before February 13, 2026 or February 27, 2026 depending on your domain.

1. Download the official Sectigo Public Server Authentication Root R46 certificate from:
   Sectigo Public Root Certificates - USERTrust RSA CA  (https://crt.sh/?d=1199354)

2. Install the certificate into your Trusted Root Certification Authorities store.

Windows:
Open certmgr.msc → Trusted Root Certification Authorities → Import.

macOS:
Open Keychain Access → System Roots → Import.

Linux:
Copy the certificate to the path /usr/local/share/ca-certificates/ and run the command:

sudo update-ca-certificates

Java:
Copy the certificate to the path $JAVA_HOME/lib/security/cacerts and run the command:

keytool -import -trustcacerts -keystore $JAVA_HOME/lib/security/cacerts \
-alias sectigoR46 -file SectigoPublicServerAuthenticationRootR46.crt

After the import is complete, restart the application or web browser.

Note:
If your technical team connects to Kissflow via Docker or other containerized environments, you must ensure the new SSL certificate is also updated in the Docker images and containers.

Importing the official Sectigo Root R46 certificate ensures your systems continue to trust Kissflow and that your connection remains secure.

To maintain a secure and uninterrupted connection, please complete the certificate update by the February 13 or February 27 deadline, depending on your region.

If you require assistance regarding this, please contact our support team, and we will be happy to help you resolve the issue.

Google Cloud NAT (Network Address Translation) is a service provided by Google Cloud Platform (GCP) that enables specific resources to establish outbound connections to the internet or other Virtual Private Cloud (VPC) networks.

Currently, Kissflow uses dynamic public IPs managed by Google Cloud NAT for all outbound calls, including integration calls to connect external applications. To enhance stability and streamline operations, we are transitioning to static public IPs.

What is changing

After 07 January 2024, Kissflow will use manual IP allocation strategy in Google Cloud NAT service, allowing users to use reserved static IPs that remain constant over time. This will eliminate the need for frequent updates to firewall rules with new Kissflow public IPs. 

Who will it affect

This change will affect users who have configured their firewalls by safelisting Kissflow IPs to allow Kissflow’s integration calls to applications in their network. Users who haven’t implemented this configuration will not be affected. 

What you need to do for uninterrupted services

1. Safelist the new Kissflow public IPs (see below) along with the current public IPs before 07 January 2024.

2. After 07 January 2024, remove the old IPs (see below) from your safelisted IP list, as they will not be associated with Kissflow's public IP.

Kissflow’s outbound integration calls to applications in your network will be allowed only if you safelist the new IPs listed below. Failure to do so will result in the disruption of those integration calls.

Old and new IPs

Effects during change implementation

We’ll implement these Cloud NAT changes on 07 January 2024 (Sunday) during a period of minimal traffic to minimize any potential disruption. During the implementation, there may be a brief impact lasting less than one minute while triggering integrations.

We appreciate your understanding and support during this transition. If you have any questions or concerns, please reach out to us in the comments or our support team.

• English
• Italian (Italiano)
• Korean (한국어)
• Japanese (日本語)
• Simplified Chinese (简体中文)
• Russian (Русский)
• German (Deutsch)
• Spanish (Español)
• French (Français)
• Brazilian Portuguese (Portuguesê (Brazil))
• Vietnamese (Tiếng Việt)
• Thai (ภาษาไทย)
• Arabic (عربى)
• Polish (Język Polski)

Our primary support communication is through the Kissflow Community, which can be accessed through the product by clicking on the (?) next to the profile picture or by visiting https://community.kissflow.com/. Customers can post questions and report issues or defects using the " Get Help" section, which is the main mode of communication available in Kissflow. If you have a question related to using Kissflow, our team will respond promptly.
 

We provide chat as our secondary support channel, enabling customers to report account-specific issues or defects in the chat within the Kissflow Community. The 1:1 chat can be found within the Kissflow Community. We recommend email communication only in cases where users cannot log in via Kissflow due to downtime or other critical issues. All emails sent to support@Kissflow.com are directed to our chat system and managed by our team of support specialists.

Kissflow's live chat and phone/remote assistance support timings vary depending on the product and plan you select.

Status page

The Kissflow system is being actively monitored, and issues, if any, will be reported immediately on the Kissflow status page. You can check this page if you’re facing any service availability issues and downtime. 

General SLA Terms

All conversations that originate in our chat system will be answered within 24 hours on business days. However, we generally respond in a much shorter time. Our current average response time during business hours is about 30 minutes.

For defects that are confirmed by our product specialist, the following SLAs will apply:

Critical defects

Example: The system is down

• Ticket response time: 4 hours
• Immediate workaround*: 4 hours
• Permanent fix: 48 hours

Highly important defects

• Example: An entire module is affected
• Ticket response time: 4 hours
• Immediate workaround: 24 hours
• Permanent fix: 1 week

Medium defects

• Example: A feature within a module is affected
• Ticket response time: 8 hours
• Immediate workaround: 3 business days
• Permanent fix: Next release

Low defects

• Example: Annoyances
• Ticket response time: 48 hours
• Workaround or fix: As seen fit^

*An immediate workaround is an acceptable solution to the specific problem reported.

All timelines exclude Saturdays and Sundays.

For large enterprise deals, we can include these SLAs in a signed contract. Write to contact {at} kissflow.com for more information.