CertCentral to issue GeoTrust and RapidSSL DV certificates from new intermediate CA certificates
On May 24, 2022, between 9:00 am and 11:00 am MDT (3:00 pm and 5:00 pm UTC), DigiCert will replace the GeoTrust and RapidSSL intermediate CA (ICA) certificates listed below. We can no longer issue maximum validity (397-day) DV certificates from these intermediates.
Old ICA certificates
New ICA certificates
See the DigiCert ICA Update KB article.
How does this affect me?
Rolling out new ICA certificates does not affect your existing DV certificates. Active certificates issued from the replaced ICA certificates will remain trusted until they expire.
However, all new certificates, including certificate reissues, will be issued from the new ICA certificates. To ensure ICA certificate replacements go unnoticed, always include the provided ICA certificate with every TLS certificate you install.
No action is required unless you do any of the following:
If you practice pinning, hard code acceptance, or operate a trust store, update your environment as soon as possible. You should stop pinning and hard coding ICA certificates or make the necessary changes to ensure your GeoTrust DV and RapidSSL DV certificates issued from the new ICA certificates are trusted. In other words, make sure they can chain up to their new ICA certificate and trusted root.
See the DigiCert Trusted Root Authority Certificates page to download copies of the new Intermediate CA certificates.
What if I need more time?
If you need more time to update your environment, you can continue to use the old 2020 ICA certificates until they expire. Contact DigiCert Support, and they can set that up for your account. However, after May 31, 2022, RapidSSL DV and GeoTrust DV certificates issued from the 2020 ICA certificates will be truncated to less than one year.
We fixed a bug that changes the reissue workflow for DV certificates. After August 24, 2021, when you reissue a DV certificate and change or remove SANs, the original certificate and any previously reissued or duplicate certificates are revoked after a 72-hour delay.
Industry moves to 3072-bit key minimum RSA code signing certificates
Starting May 27, 2021, to comply with new industry standards for code signing certificates, DigiCert will make the following changes to our code signing certificate process.
See Appendix A in the Baseline Requirements for the Issuance and Management of Publicly-Trusted Code Signing Certificates to learn more about these industry changes,
How do these changes affect my existing 2048-bit key certificates?
All existing 2048-bit key size code signing certificates issued before May 27, 2021, will remain active. You can continue to use these certificates to sign code until they expire.
What if I need 2048-bit key code signing certificates?
Take these actions, as needed, before May 27, 2021:
How do these changes affect my code signing certificate process starting May 27, 2021?
Reissues for code signing certificate
Starting May 27, 2021, all reissued code signing certificates will be:
New and renewed code signing certificates
Starting May 27, 2021, all new and renewed code signing certificates will be:
CSRs for code signing certificates
Starting May 27, 2021, you must use a 3072-bit RSA key or larger to generate all certificate signing requests (CSR). We will no longer accept 2048-bit key CSRs for code signing certificate requests.
eTokens for EV code signing certificates
Starting May 27, 2021, you must use an eToken that supports 3072-bit keys when you reissue, order, or renew an EV code signing certificate.
HSMs for EV code signing certificates
Starting May 27, 2021, you must use an HSM that supports 3072-bit keys. Contact your HSM vendor for more information.
New ICA and root certificates
Starting May 27, 2021, DigiCert will issue all new code signing certificates from our new RSA and ECC intermediate CA and root certificates (new, renewed, and reissued).
RSA ICA and root certificates:
ECC ICA and root certificates:
No action is required unless you practice certificate pinning, hard code certificate acceptance, or operate a trust store.
If you do any of these things, we recommend updating your environment as soon as possible. Stop pinning and hard coding ICAs or make the necessary changes to ensure certificates issued from the new ICA certificates are trusted (in other words, they can chain up to their issuing ICA and trusted root certificates).
If you have questions or concerns, please contact your account manager or our support team.
DigiCert to stop issuing SHA-1 code signing certificates
On Tuesday, December 1, 2020 MST, DigiCert will stop issuing SHA-1 code signing and SHA-1 EV code signing certificates.
Note: All existing SHA-1 code signing/EV code signing certificates will remain active until they expire.
Why is DigiCert making these changes?
To comply with the new industry standards, certificate authorities (CAs) must make the following changes by January 1, 2021:
How do the SHA-1 code signing certificate changes affect me?
If you rely on SHA-1 code signing certificates, take these actions as needed before December 1, 2020:
For more information about the December 1, 2020 changes, see our knowledgebase article DigiCert to Stop Issuing SHA-1 Code Signing Certificates.
If you have additional questions, please contact your account manager or our support team.
We improved the Transaction Summary on the Reissue Certificate for Order pages, allowing you to see how many days remain until the certificate expires. Now, when you reissue a certificate, the Transaction Summary shows the certificate validity along with days until it expires (e.g., 1 year (expires in 43 days).
We improved our Basic and Secure Site single domain certificate offerings (Standard SSL, EV SSL, Secure Site SSL, and Secure Site EV SSL), adding the Include both [your-domain].com and www. [your-domain].com in the certificate option to these certificates' order, reissue, and duplicate forms. This option allows you to choose whether to include both versions of the common name (FQDN) in these single domain certificates for free.
Works for subdomains too
The new option allows you to get both versions of base and subdomains. Now, to secure both versions of a subdomain, add the subdomain to the Common Name box (sub.domain.com) and check Include both [your-domain].com and www. [your-domain].com in the certificate. When DigiCert issues your certificate, it will include both versions of the subdomain on the certificate: [sub.domain].com and www.[sub.doman].com.
Removed Use Plus Feature for Subdomains
The Include both [your-domain].com and www. [your-domain].com in the certificate option makes the Plus Feature -- Use Plus Feature for Subdomains obsolete. So, we removed the option from the Division Preferences page (in the sidebar menu, click Settings > Preferences).
In the DigiCert Services API, we updated the Order OV/EV SSL, Order SSL (type_hint), Order Secure Site SSL, Order Private SSL, Reissue certificate, and Duplicate certificate endpoints listed below. These changes provide more control when requesting, reissuing, and duplicating your single domain certificates, allowing you choose whether to include a specific additional SAN on these single domain certificates for free.
*Note: For the Order SSL (type_hint) endpoint, only use the
dns_names parameter as described below to add the free SAN.
To secure both versions of your domain ([your-domain].com and www. [your-domain].com), in your request, use the
common_name parameter to add the domain ([your-domain].com) and the
dns_names parameter to add the other version of the domain (www. [your-domain].com).
When DigiCert issues your certificate, it will secure both versions of your domain.
To secure only the common name (FQDN), omit the
dns_names parameter from your request.