Apple's new compliance requirements for Private SSL certificates
Apple recently announced some new security requirements for SSL/TLS certificate that will go into effect with the release of iOS 13 and macOS 10.15. These requirements affect public and private certificate issued after July 1, 2019.
For your public DigiCert SSL/TLS certificates, no action is required.
DigiCert public SSL/TLS certificates already meet all these security requirements. Your public SSL/TLS certificates aren't affected by these new requirements and will be trusted in iOS 13 and macOS 10.15.
What's new?
Apple is implementing additional security requirements for all SSL/TLS certificates that by design impact private SSL/TLS certificates. See Requirements for trusted certificates in iOS 13 and macOS 10.15.
DigiCert private SSL/TLS certificates meet these requirements, if issued by account administrators according to public certificate requirements.
We've provided a list of the requirements below that may affect your private SSL/TLS certificates. These versions of Apple's OS are slated to be released during the fall of this year. This means, you need to prepare now.
New private SSL/TLS certificate requirements:
What can you do?
If Apple iOS and macOS trust are required for your private SSL/TLS certificates, verify any private SSL/TLS certificates issued after July 1, 2019 meet their new requirements. If you find certificate that don't meet these requirements, you'll want to take these actions soon:
Industry standards change
As ofJuly 31, 2019 (19:30 UTC), you must use the HTTP Practical Demonstration DCV method to demonstrate control over IP addresses on your certificate orders.
For more information about the HTTP Practical Demonstration DCV method, see these instructions:
Currently, industry standards used to allow you to use other DCV methods to demonstrate control over your IP address. However, with the passing of Ballot SC7, the regulations for IP address validation changed.
Ballot SC7: Update IP Address Validation Methods
This ballot redefines the permitted processes and procedures for validating the customer's control of an IP Address listed in a certificate. Compliance changes for Ballot SC7 go into effect on July 31, 2019 (19:30 UTC).
To remain compliant, as of July 31, 2019 (19:30 UTC), DigiCert only allows customers to use the HTTP Practical Demonstration DCV method to validate their IP addresses.
Removing Support for IPv6
As of July 31, 2019 (19:30 UTC), DigiCert has removed support for certificates for IPv6 addresses. Due to server limitations, DigiCert is unable to reach out to IPv6 address to verify the file placed on the customer's website for the HTTP Practical Demonstration DCV method.
We've updated the CertCentral SAML Federation Settings, enabling you to keep your Federation Name from appearing in the list of IdPs on the SAML Single Sign-On IdP Selection and SAML certificate requests IdP Selection pages.
Now, on the Federation Settings page, under Your IDP's Metadata, we added the Include Federation Name option. If you want to keep your Federation Name from appearing in the list of IdPs on the IdP Selection page, uncheck Add my Federation Name to the list of IdPs.
Secure Site Pro TLS/SSL certificates are available in CertCentral. With Secure Site Pro, you're charged per domain; no base certificate cost. Add one domain, get charged for one. Need nine domains, get charged for nine. Secure up to 250 domains on one certificate.
We offer two types of Secure Site Pro certificates, one for OV certificates and one for EV certificates.
Benefits included with each Secure Site Pro certificate
Each Secure Site Pro certificate includes – at no extra cost – first access to future premium feature additions to CertCentral (e.g., CT log monitoring and validation management).
Other benefits include:
To activate Secure Site Pro certificates for your CertCentral account, contact your account manager or our support team.
To learn more about our Secure Site Pro certificates, see DigiCert Secure Site Pro.
Public SSL certificates can no longer secure domain names with underscores ("_"). All previously issued certificates with underscores in domain names must expire prior to this date.
Note: The preferred underscore solution is to rename the hostnames (FQDNs) that contain underscores and replace the certificates. However, for those situations where renaming is not possible, you can use private certificates and, in some cases, you can use a wildcard certificate that secures the entire domain.
For more details, see Retiring Underscores in Domain Names.
Industry standard requirements for including the CanSignHttpExchanges extension in an ECC SSL/TLS certificate:
*Note: These requirements took effect as of May 1, 2019. The Signed HTTP Exchanges extension is under active development. There may be additional changes to the requirements as industry development continues.
The 90-day maximum certificate validity requirement doesn't affect certificates issued prior to May 1, 2019. Note that reissued certificate will be truncated to 90-days from the time of reissue. However, you can continue reissuing the certificate for the full purchased validity period.
CanSignHttpExchanges extension
Recently, we added a new certificate profile, HTTP Signed Exchanges to help address the AMP URL display issue where your brand isn’t displayed in the address bar. See, Display better AMP URLs with Signed Exchanges.
This new profile allows you to include the CanSignHttpExchanges extension in OV and EV SSL/TLS certificates. Once enabled for your account, the Include the CanSignHttpExchanges extension in the certificate option appears on your OV and EV SSL/TLS certificate order forms under Additional Certificate Options. See Get your Signed HTTP Exchanges certificate.
To enable this certificate profile for your account, please contact your account manager or contact our Support team.
CAs can no longer issue 30-day public SSL certificate containing underscores in domain names (common names and subject alternative names).
Note: The preferred underscore solution is to rename the hostnames (FQDNs) that contain underscores and replace the certificates. However, for those situations where renaming is not possible, you can use private certificates and, in some cases, you can use a wildcard certificate that secures the entire domain.
For more details, see Retiring Underscores in Domain Names.
Final day you can order 30-day public SSL certificates containing underscores in domain names (common names and subject alternative names) from any CA.
Note: The preferred underscore solution is to rename the hostnames (FQDNs) that contain underscores and replace the certificates. However, for those situations where renaming is not possible, you can use private certificates and, in some cases, you can use a wildcard certificate that secures the entire domain.
For more details, see Retiring Underscores in Domain Names.
No action is required on your part.
As of February 13, 2019, DigiCert no longer issues ECC TLS/SSL certificates (i.e., certificates with ECDSA keys) with the curve-hash pair P-384 with SHA-2 512 (SHA-512). This curve-hash pair is not compliant with Mozilla's root store policy.
Mozilla's root store policy supports these curve-hash pairs only:
Note: Do you have a certificate with a P-384 with SHA-512 curve-hash pair? Don't worry. When it’s time to renew the certificate, it will automatically be issued using a supported curve-hash pair.
Certificate Authorities (CAs) revoked all public SSL certificates containing underscores (in the common name and subject alternative names) with a maximum validity of more than 30 days by end of day (UTC time).
If you had an SSL certificate with a total validity of 31 days or more (which includes all 1-year, 2-year, and 3-year certificates) that expired after January 14, 2019, the CA who issued your certificate was required to revoke it.
For more details, see Retiring Underscores in Domain Names.
DigiCert began issuing public SSL certificates containing underscores for a limited time.
For more details, see Retiring Underscores in Domain Names.
In the top menu, we added two new contact support options (phone and chat icons) making it easier to contact support from within CertCentral (via email, chat, or phone).
The phone icon provides you with email and phone options. The chat icon provides you with a chat window where you can start a chat with one of our dedicated support team members.
We enhanced the sidebar menu, making it easier to see the menu option for the pages you are visiting. Now, when you visit a page in CertCentral, the menu option for that page will have a horizontal blue bar next to it.
We fixed a bug in the Add Organization feature on the SSL/TLS certificate request forms where the validation status (EV and OV validated) was not included for new organizations added and validated as part of the certificate order.
Now, new organizations added when ordering an SSL certificate will show a Validated status.
Note: The organization's validation status doesn't appear until we've fully validated the organization.
Industry standards compliance change. For publicly trusted certificates, underscores ( _ ) can no longer be included in subdomains. RFC 5280 now enforced for subdomains as well.
See Publicly Trusted Certificates – Data Entries that Violate Industry Standards.
Industry standards changed and removed two Domain Control Validation (DCV) methods from the Baseline Requirements (BRs).
Starting August 1, 2018, Certificate Authorities can no longer use the following domain control validation (DCV) methods:
To learn more about some of the available DCV methods, see Domain Control Validation (DCV) Methods.
DigiCert Compliance with GDPR
The General Data Protection Regulation (GDPR) is a European Union law on data protection and privacy for all individuals within the EU. The primary aim is to give citizens and residents of the EU more control over their personal data and to simplify the regulatory environment for international business by unifying the regulations within the EU. The GDPR went into effect on May 25, 2018. More Details »
DigiCert Statement
DigiCert worked to understand and comply with GDPR. We were aligned with GDPR when it went into effect on May 25, 2018. See Meeting the General Data Protection Regulation (GDPR).
GDPR Impact on WHOIS-based Email Domain Control Validation (DCV)
The European Union’s General Data Protection Regulation (GDPR) went into effect on May 25th, 2018. The GDPR requires data protection for natural persons (not corporate entities) residing within the European Union (EU).
DigiCert worked with ICANN to keep WHOIS information available. ICANN announced that it continues to require registries and registrars to submit information to WHOIS, with a few changes to address GDPR. See A Note on WHOIS, GDPR and Domain Validation.
Do you rely on WHOIS-based Email domain validation?
Check with your domain registrar to find out if they are using an anonymized email or a web form as a way for CAs to access WHOIS data as part of their GDPR compliance.
For the most efficient validation process, let your registrar know that you want them to either continue using your full published records or use an anonymized email address for your domains. Using these options will ensure minimal-to-no-impact on our validation processes.
Does your registrar use an anonymized email or a web form as a way for CAs to access WHOIS data? If so, we can send the DCV email to the addresses listed in their WHOIS record.
Does your registrar mask or remove email addresses? If so, you will need to use one of the other methods to prove control over your domains:
For more information about constructed email addresses and other alternative DCV methods, see Domain Control Validation (DCV) Methods.
Industry standards allow a Certificate Authority (CA) to issue an SSL/TLS certificate for a domain that only has CAA records containing no "issue"/"issuewild" property tags.
When a CA queries a domain's CAA RRs and finds records with no "issue" or "issuewild" property tags in them, a CA can interpret this as permission to issue the SSL/TLS certificate for that domain. See Ballot 219: Clarify handling of CAA Record Sets with no "issue"/"issuewild" property tag.
To learn more about the CAA RR check process, see our DNS CAA Resource Record Check page.
As part of the industry-wide move away from of TLS 1.0/1.1 and to maintain our PCI compliance, DigiCert disabled TLS 1.0/1.1 on April 1, 2018. DigiCert only supports TLS 1.2 and higher going forward. See Deprecating TLS 1.0 & 1.1.
DigiCert implements an improved Organization Unit (OU) verification process.
Per Baseline Requirements:
"The CA SHALL implement a process that prevents an OU attribute from including a name, DBA, tradename, trademark, address, location, or other text that refers to a specific natural person or Legal Entity unless the CA has verified this information in accordance with Section 11.2…"
Note: The OU field is an optional field. It is not required to include an organization unit in a certificate request.
As of March 1, 2018, 825 days is the maximum allowed length for a reissued (or duplicate issued) public 3-year SSL/TLS certificate.
For a 3-year OV certificate issued after March 1, 2017, be aware that during the first year of the 3-year certificate's lifecycle, all reissued and duplicate certificates may have a shorter lifecycle than the "original" certificate, and these reissued certificates will expire first. See
How does this affect my 3-year certificate reissues and duplicate issues?.
As of February 21, 2018, DigiCert only offers 1 and 2-year public SSL/TLS certificates due to changes in industry standards that limit the maximum length of a public SSL certificate to 825 days (approximately 27 months). See February 20, 2018, Last Day for New 3-Year Certificate Orders.
This is for informational purposes only, no action is required.
As of February 1, 2018, DigiCert publishes all newly issued public SSL/TLS certificates to public CT logs. This does not affect any OV certificates issued before February 1, 2018. Note that CT logging has been required for EV certificates since 2015. See DigiCert Certificates Will Be Publicly Logged Starting Feb. 1.
New "exclude from CT log when ordering a certificate" feature added to CertCentral. When you activate this feature (Settings > Preferences), you allow account users to keep public SSL/TLS certificates from being logged to public CT logs on a per certificate order basis.
While ordering an SSL certificate, users have an option not to log the SSL/TLS certificate to public CT logs. The feature is available when a user orders a new certificate, reissues a certificate, and renews a certificate. See CertCentral Public SSL/TLS Certificate CT Logging Guide.
New optional CT logging opt out field (disable_ct) added to the SSL certificate request API endpoints. Also, a new CT Log issued certificate opt out endpoint (ct-status) added. See CertCentral API Public SSL /TLS Certificate Transparency Opt Out Guide.
Industry standards change for CAA Resource Record checks. Modified the process to check CNAME chains containing 8 CNAME records or less, and the search doesn’t include the parent of a target of a CNAME record. See DNS CAA Resource Record Check.
Industry standards change for certificate issuance. Modified the certificate issuance process to check DNS CAA Resource Records. See DNS CAA Resource Record Check.
Industry standards compliance changes; improved RFC 5280 violations checks and enforcements. See Publicly Trusted Certificates – Data Entries that Violate Industry Standards.
Industry standards change to validation process. Validation information (DCV or organization) older than 825 days must be revalidated before processing a certificate reissue, renewal, or issue. More details »
Industry standards compliance changes; added support for additional domain control validation (DCV) methods. See Domain Pre-Validation: Domain Control Validation (DCV) Methods.
