We fixed an Additional Emails bug where additional emails added to a certificate order weren't being saved.
Now, when you go to a certificate's Order details page and add and save additional email addresses to the order, the additional email addresses are saved and will be there when you return to the page.
We fixed a Code Signing (CS) certificate approval email bug where the CS approval email was sent when the CS requestor was also a CS verified contact.
Now, when the code signing certificate requestor is also the verified CS contact for the organization, we don't send a CS approver email.
Industry standards changed and removed two Domain Control Validation (DCV) methods from the Baseline Requirements (BRs).
Starting August 1, 2018, Certificate Authorities can no longer use the following domain control validation (DCV) methods:
To learn more about some of the available DCV methods, see Domain Control Validation (DCV) Methods.
DigiCert Compliance with GDPR
The General Data Protection Regulation (GDPR) is a European Union law on data protection and privacy for all individuals within the EU. The primary aim is to give citizens and residents of the EU more control over their personal data and to simplify the regulatory environment for international business by unifying the regulations within the EU. The GDPR went into effect on May 25, 2018. More Details »
DigiCert worked to understand and comply with GDPR. We were aligned with GDPR when it went into effect on May 25, 2018. See Meeting the General Data Protection Regulation (GDPR).
GDPR Impact on WHOIS-based Email Domain Control Validation (DCV)
The European Union’s General Data Protection Regulation (GDPR) went into effect on May 25th, 2018. The GDPR requires data protection for natural persons (not corporate entities) residing within the European Union (EU).
DigiCert worked with ICANN to keep WHOIS information available. ICANN announced that it continues to require registries and registrars to submit information to WHOIS, with a few changes to address GDPR. See A Note on WHOIS, GDPR and Domain Validation.
Do you rely on WHOIS-based Email domain validation?
Check with your domain registrar to find out if they are using an anonymized email or a web form as a way for CAs to access WHOIS data as part of their GDPR compliance.
For the most efficient validation process, let your registrar know that you want them to either continue using your full published records or use an anonymized email address for your domains. Using these options will ensure minimal-to-no-impact on our validation processes.
Does your registrar use an anonymized email or a web form as a way for CAs to access WHOIS data? If so, we can send the DCV email to the addresses listed in their WHOIS record.
Does your registrar mask or remove email addresses? If so, you will need to use one of the other methods to prove control over your domains:
For more information about constructed email addresses and other alternative DCV methods, see Domain Control Validation (DCV) Methods.
Industry standards allow a Certificate Authority (CA) to issue an SSL/TLS certificate for a domain that only has CAA records containing no "issue"/"issuewild" property tags.
When a CA queries a domain's CAA RRs and finds records with no "issue" or "issuewild" property tags in them, a CA can interpret this as permission to issue the SSL/TLS certificate for that domain. See Ballot 219: Clarify handling of CAA Record Sets with no "issue"/"issuewild" property tag.
To learn more about the CAA RR check process, see our DNS CAA Resource Record Check page.
DigiCert implements an improved Organization Unit (OU) verification process.
Per Baseline Requirements:
"The CA SHALL implement a process that prevents an OU attribute from including a name, DBA, tradename, trademark, address, location, or other text that refers to a specific natural person or Legal Entity unless the CA has verified this information in accordance with Section 11.2…"
Note: The OU field is an optional field. It is not required to include an organization unit in a certificate request.
This is for informational purposes only, no action is required.
As of February 1, 2018, DigiCert publishes all newly issued public SSL/TLS certificates to public CT logs. This does not affect any OV certificates issued before February 1, 2018. Note that CT logging has been required for EV certificates since 2015. See DigiCert Certificates Will Be Publicly Logged Starting Feb. 1.
New "exclude from CT log when ordering a certificate" feature added to CertCentral. When you activate this feature (Settings > Preferences), you allow account users to keep public SSL/TLS certificates from being logged to public CT logs on a per certificate order basis.
While ordering an SSL certificate, users have an option not to log the SSL/TLS certificate to public CT logs. The feature is available when a user orders a new certificate, reissues a certificate, and renews a certificate. See CertCentral Public SSL/TLS Certificate CT Logging Guide.
New optional CT logging opt out field (disable_ct) added to the SSL certificate request API endpoints. Also, a new CT Log issued certificate opt out endpoint (ct-status) added. See CertCentral API Public SSL /TLS Certificate Transparency Opt Out Guide.
Industry standards change for CAA Resource Record checks. Modified the process to check CNAME chains containing 8 CNAME records or less, and the search doesn’t include the parent of a target of a CNAME record. See DNS CAA Resource Record Check.
Industry standards change to validation process. Validation information (DCV or organization) older than 825 days must be revalidated before processing a certificate reissue, renewal, or issue. More details »