IDA: Lumina certificate expiration on October 10, 2019

Intended audience

All users of IDA 7.4 that rely on the Lumina service.

The problem: certificate expiration date on Oct 10th, 2019

IDA 7.4 has a relatively simple method for checking the server certificate that it receives when connecting to the lumina.hex-rays.com host. That method was fine as a first shot, but we are now fast approaching the date of October 10th, 2019, which will invalidate the one-year-validity period of the certificate that IDA relies on.

Does that mean IDA won’t be able to connect to lumina.hex-rays.com?

Yes, it means just that: IDA will receive the certificate from the lumina.hex-rays.com server, but even before being able to perform its own checks, the basic validation performed by the lower-level (e.g., libssl) will fail due to the certificate having expired.

Is there a workaround?

Yes. We knew this day would happen since the beginning, and until we implement a more traditional certificate chain validation (à la web browser), we have left open the possibility to provide an additional certificate to IDA, in the form a path/to/ida-install/hexrays.crt file.

How to act?

On October 10th, 2019, if you ever notice that IDA fails to contact the lumina.hex-rays.com host, please:
  • download hexrays.crt (shasum: 7e47e7e22dc833c72ee015d4d4e063171f639cfb)
  • place it either:
    • next to IDA, in IDA’s installation dir, or
    • in %APPDATA%\Hex-Rays\IDA Pro (on Windows), or ~/.idapro (on Linux & OSX)
and you should be good to go.

In the future

In IDA 7.5, we implemented a proper certification chain mechanism (similar to what browsers do), so this workaround is not necessary for it or later versions.