Filtering by: GeoTrust x clear

March 8, 2023

encryption-everywhere root certificates Basic OV/EV ICA certificates SSL/TLS certificates Secure Site Pro OV/EV Fifth generation (G5) Secures Site OV/EV G5 intermediate CA certificates public ssl certificates Thawte GeoTrust RapidSSL
new

DigiCert moving to new G5 root and intermediate CA certificates

On March 8, 2023, at 10:00 MST (17:00 UTC), DigiCert will begin updating the default public issuance of TLS/SSL certificates to new, public, fifth-generation (G5) root and intermediate CA (ICA) certificate hierarchies.

TLS/SSL certificate brands:

  • DigiCert Basic, Secure Site, and Secure Site Pro OV and EV
  • GeoTrust DV, OV, and EV
  • Thawte DV, OV, and EV
  • RapidSSL DV
  • Encryption Everywhere DV

For more information, see our DigiCert G5 Root and Intermediate CA Certificate Update knowledge base article. We recommend you bookmark this page, as we will continue to update this article as new information, ICA certificates, and cross-signed roots become available.

Why is DigiCert moving to new root and intermediate certificates?

The industry now requires Certificate Authorities (CAs) to stop using multipurpose roots and ICA certificates and start using single-purpose certificates instead.

This means:

  • Each new DigiCert single-purpose G5 root chains to a single-purpose ICA certificate.
  • Each new single-purpose G5 ICA certificate only issues a single type of end-entity certificate.

For example, DigiCert has a single-purpose G5 root and ICA certificate for issuing RSA TLS/SSL certificates and another a single-purpose G5 root and ICA certificate for issuing ECC TLS/SSL certificates.

For more information about moving to single-purpose root and ICA certificates, see Mozilla's CA/Prioritization.

How do new root and intermediate CA certificates affect me?

From March 8, 2023, DigiCert will issue new public TLS/SSL certificates from the new G5 root and ICA certificate dedicated hierarchies. At this time, no action is required* unless you do any of the following:

  • Pin root or ICA certificates
  • Hard-code the acceptance of root or ICA certificates
  • Operate a trust store

We recommend updating your environment before March 8, 2023. Stop pinning or hard-coding root or ICA certificate acceptance and distribute DigiCert G5 roots to the local trust stores to ensure TLS/SSL certificates that chain up to the new root certificates are trusted.

How do the new G5 root and ICA certificates affect my existing TLS/SSL certificates?

Rolling out new root and intermediate CA (ICA) certificates does not affect existing TLS/SSL certificates. We don't remove old ICA and root certificates from certificate stores until all the certificates issued from them have expired. Active TLS/SSL certificates issued from a replaced root and ICA certificates remain trusted until they expire.

However, it does affect existing TLS/SSL certificates if you reissue or duplicate them from March 8, 2023. DigiCert will issue all new TLS/SSL certificates from the new G5 root and ICA certificate chains, including reissues and duplicates.

*Installing a cross-signed root certificate

Until our new G5 roots have the same ubiquity as the older DigiCert root certificates, we recommend installing the DigiCert-provided cross-signed root along with the intermediate CA certificate included with each TLS/SSL certificate issued from a G5 root certificate hierarchy.

Installing the cross-signed root certificate ensures your TLS certificate remains trusted even when its G5 root certificate is missing from a needed trust store.

We will add a link to instructions for installing a cross-signed root certificate as soon as they become available.

What if I need more time to update my environment?

If you need more time to prepare, contact DigiCert Support. We will set up your account so you can continue to use the root and ICA certificates you are using now.

Mozilla to distrust four DigiCert roots in 2024

The industry is moving to dedicated hierarchies, so the longer you stay on the old roots and ICA certificates, the less time you will have to move off them when the industry stops trusting them.

In 2024, Mozilla will distrust four DigiCert root certificates**:

  • April 2024
    • Baltimore CyberTrust Root, April 15, 2024
  • November 2024
    • DigiCert Assured ID Root CA, November 10, 2024
    • DigiCert Global Root CA, November 10, 2024
    • DigiCert High Assurance EV Root CA, November 10, 2024

If your certificates are issued from these certificate root hierarchies, you should move to new G5 root dedicated hierarchies before Mozilla distrusts your root certificate.

**TLS/SSL certificates issued before these dates will remain trusted until they expire. However, certificates issued from these dates, including reissues and duplicates, will no longer be trusted.

May 24, 2022

reissued certificates new certificates ICAs DV SSL certificates intermediate CA certificates compliance New GeoTrust RapidSSL
new

CertCentral to issue GeoTrust and RapidSSL DV certificates from new intermediate CA certificates

On May 24, 2022, between 9:00 am and 11:00 am MDT (3:00 pm and 5:00 pm UTC), DigiCert will replace the GeoTrust and RapidSSL intermediate CA (ICA) certificates listed below. We can no longer issue maximum validity (397-day) DV certificates from these intermediates.

Old ICA certificates

  • GeoTrust TLS DV RSA Mixed SHA256 2020 CA-1
  • GeoTrust TLS DV RSA Mixed SHA256 2021 CA-1
  • RapidSSL TLS DV RSA Mixed SHA256 2020 CA-1
  • RapidSSL TLS DV RSA Mixed SHA256 2021 CA-1

New ICA certificates

  • GeoTrust Global TLS RSA4096 SHA256 2022 CA1
  • RapidSSL Global TLS RSA4096 SHA256 2022 CA1

See the DigiCert ICA Update KB article.

How does this affect me?

Rolling out new ICA certificates does not affect your existing DV certificates. Active certificates issued from the replaced ICA certificates will remain trusted until they expire.

However, all new certificates, including certificate reissues, will be issued from the new ICA certificates. To ensure ICA certificate replacements go unnoticed, always include the provided ICA certificate with every TLS certificate you install.

No action is required unless you do any of the following:

  • Pin the old versions of the intermediate CA certificates
  • Hard code the acceptance of the old versions of the intermediate CA certificates
  • Operate a trust store that includes the old versions of the intermediate CA certificates

Action required

If you practice pinning, hard code acceptance, or operate a trust store, update your environment as soon as possible. You should stop pinning and hard coding ICA certificates or make the necessary changes to ensure your GeoTrust DV and RapidSSL DV certificates issued from the new ICA certificates are trusted. In other words, make sure they can chain up to their new ICA certificate and trusted root.

See the DigiCert Trusted Root Authority Certificates page to download copies of the new Intermediate CA certificates.

What if I need more time?

If you need more time to update your environment, you can continue to use the old 2020 ICA certificates until they expire. Contact DigiCert Support, and they can set that up for your account. However, after May 31, 2022, RapidSSL DV and GeoTrust DV certificates issued from the 2020 ICA certificates will be truncated to less than one year.

April 5, 2022

symantec domains CertCentral upgrade Thawte GeoTrust legacy console upgrades RapidSSL Migration CAA resource record
new

CertCentral: Domain locking is now available

DigiCert is happy to announce our domain locking feature is now available.

Does your company have more than one CertCentral account? Do you need to control which of your accounts can order certificates for specific company domains?

Domain locking allows you to control which of your CertCentral accounts can order certificates for your domains.

How does domain locking work?

DNS Certification Authority Authorization (CAA) resource records allow you to control which certificate authorities can issue certificates for your domains.

With domain locking, you can use this same CAA resource record to control which of your company's CertCentral accounts can order certificates for your domains.

How do I lock a domain?

To lock a domain:

  1. Enable domain locking for your account.
  2. Set up domain locking for a domain.
  3. Add the domain's unique verification token to the domain's DNS CAA resource record.
  4. Check the CAA record for the unique verification token.

To learn more, see:

new

End of life for account upgrades from Symantec, GeoTrust, Thawte or RapidSSL to CertCentral™

From April 5, 2022, MDT, you can no longer upgrade your Symantec, GeoTrust, Thawte, or RapidSSL account to CertCentral™.

If you haven't already moved to DigiCert CertCentral, upgrade now to maintain website security and have continued access to your certificates.

Note: During 2020, DigiCert discontinued all Symantec, GeoTrust, Thawte, RapidSSL admin consoles, enrollment services, and API services.

How do I upgrade my account?

To upgrade your account, contact DigiCert Support immediately. For more information about the account upgrade process, see Upgrade from Symantec, GeoTrust, Thawte, or RapidSSL.

What happens if I don't upgrade my account to CertCentral?

After April 5, 2022, you must get a new CertCentral account and manually add all account information, such as domains and organizations. In addition, you won't be able to migrate any of your active certificates to your new account.

For help setting up your new CertCentral account after April 5, 2022, contact DigiCert Support.

April 15, 2020

bug fix download link certificate notification upgrade tls certificates GeoTrust DV Certificates digicert order ID
fix

Bug fix: DV certificate not attached to email notification

We fixed a bug in the DV certificate issuance process where we weren't attaching a copy of the DV certificate to the Your certificate for your-domain email notification. As a temporary fix to this issue, we now include a certificate download link in the DV certificate email notification.

Note: After DigiCert issues a certificate, it is immediately available in your CertCentral account.

To use the download link in the email, you must have access to the CertCentral account and have permissions to access the certificate order.

If an email recipient doesn't have access to the account or to the certificate order, you can email them a copy of the DV certificate from your CertCentral account. See our instructions for how to email a DV certificate from your CertCentral account.

enhancement

Legacy partner account upgrades to CertCentral

In the DigiCert Service API, we updated the—DigiCert order ID—to make it easier to find the corresponding DigiCert order IDs for your migrated legacy GeoTrust TLS/SSL certificate orders.

Now, you can use the GeoTrust order ID* to access the DigiCert order ID for your GeoTrust certificate orders. Additionally, when using the GeoTrust order ID, we return the most current DigiCert certificate order ID.

*Note: In the legacy partner accounts, you only have access to the GeoTrust order ID for your GeoTrust TLS/SSL certificate orders.

Background

After you migrate your active, public SSL/TLS certificate orders to your new account, we assign a unique DigiCert order ID to each migrated legacy SSL/TLS certificate order.

For more information:

April 5, 2020

API access symantec CertCentral access 2020 scheduled maintenance Service provider maintenance Thawte GeoTrust RapidSSL Console access
new

Scheduled Maintenance

On April 5, 2020 from 07:00 to 09:00 UTC, DigiCert will perform scheduled maintenance.

Although we have redundancies in place to protect your service, some DigiCert services may be unavailable during this time.

DigiCert services will be restored as soon as maintenance is completed.

What can you do?

Please plan accordingly. Schedule high-priority orders, renewals, reissues, and duplicate issues outside of the maintenance window.

new

High-priority service provider maintenance April 5 from 06:00 - 08:00 UTC

On Friday April 3, DigiCert was notified by our data center service provider that they are going to perform some high-priority maintenance on Sunday April 5 from 06:00 – 08:00 UTC.

How does this affect me?

This maintenance window only affects legacy Symantec Website Security, Thawte, GeoTrust, and RapidSSL customers.

During this time, Symantec, GeoTrust, Thawte and RapidSSL consoles, associated APIs, and certificate issuance may be affected.

Services will be restored as soon as maintenance is completed.

What can you do?

Please plan accordingly. Schedule high-priority orders, renewals, reissues, and duplicate issues outside of the maintenance window.

  • DigiCert 2020 scheduled maintenance
    This page is kept up to date with all our maintenance schedule information.
  • DigiCert Status
    To get live updates, subscribe to the DigiCert Status page.

December 7, 2018

New feature certcentral New GeoTrust DV Certificates RapidSSL
new

RapidSSL and GeoTrust DV certificates are available in CertCentral:

  • RapidSSL Standard DV
  • RapidSSL Wildcard DV
  • GeoTrust Standard DV
  • GeoTrust Wildcard DV

Documentation

About

DigiCert is the world's leading provider of scalable TLS/SSL, IoT and PKI solutions for identity and encryption. The most innovative companies, including 89% of the Fortune 500 and 97 of the 100 top global banks, choose DigiCert for its expertise in identity and encryption for web servers and Internet of Things devices. DigiCert supports TLS and other digital certificates for PKI deployments at any scale through its certificate lifecycle management solution, CertCentral®. The company is recognized for its enterprise-grade certificate management platform, fast and knowledgeable customer support, and market-leading security solutions. For the latest DigiCert news and updates, visit digicert.com or follow @digicert.

©2020 DigiCert, Inc. All rights reserved. DigiCert, its logo and CertCentral are registered trademarks of DigiCert, Inc. Norton and the Checkmark Logo are trademarks of NortonLifeLock Inc. used under license. Other names may be trademarks of their respective owners.