CertCentral

On May 15, 2026, DigiCert will revoke the intermediate CA (ICA) certificates listed in the table below, along with all associated end-entity certificates. This revocation is required to transition the DigiCert Global Root G2 and DigiCert Global Root G3 root hierarchies into dedicated TLS-only hierarchies. To see part 1, read the July 23, 2025, change log entry.

What do I need to do?

Before May 15, 2026, reissue affected certificates:

Why is DigiCert moving to dedicate TLS root hierarchies

The Google Chrome Root Program requires Certificate Authorities (CAs) to use dedicated TLS root hierarchies for issuing public TLS certificates.

To enhance digital trust and comply with browser root programs requirements, DigiCert is transitioning to single-purpose root hierarchies dedicated to issuing public TLS end-entity certificates.

Additional information

Beginning May 1, 2026, DigiCert will no longer issue public TLS certificates with the Client Authentication extended key usage (EKU). Per Google Chrome’s root program requirements, DigiCert will issue all public TLS certificates with the Server Authentication EKU. To learn more about part 1, see our October 1, 2025 change log entry.

This change won’t affect your existing TLS certificates with the Client Authentication EKU issued before May 1, 2026. These existing certificates will remain trusted until they expire. However, if you reissue, duplicate, or renew your TLS certificate, we’ll issue it without the Client Authentication EKU.

What do I need to do?

If using your TLS/SSL certificates solely for securing websites (HTTPS), then no action is required. However, DigiCert recommends reviewing your TLS certificate process to verify that it just includes securing websites.

If your organization requires the Client Authentication EKU in your DigiCert TLS certificates for mTLS or server-to-server authentication, then action is required. DigiCert has excellent options available for our customers and partners who require the client authentication EKU beyond May 1, 2026.

Why will DigiCert stop including the client authentication EKU in public TLS certificates?

This change aligns with Google Chrome’s root program requirements to enhance security and promote interoperability. For more information about DigiCert's timeline for phasing out the Client Authentication EKU in our public TLS certificates, read our knowledge base article about sunsetting the Client Authentication EKU.

On March 10, 2026, at 10:00 MDT (16:00 UTC), DigiCert will add more dedicated IPv4 addresses and assign new dedicated IPv6 addresses for specific services.

To learn more about these IPv4 and IPv6 addresses, see our knowledge base article, DigiCert Certificate Status IP Addresses.

What do I need to do to prepare for the new dedicated IP addresses?

Does your company use allowlists to control outgoing traffic? Does your company support or plan to support IPv6 addresses?

Affected platforms:

DigiCert has published the 2026 maintenance schedules to help you plan your certificate, services, and platform activities. We update these schedules as we get more information on how maintenance affects your DigiCert services.

Maintenance schedules

With customers worldwide, we understand there’s no best time for everyone. However, after reviewing customer usage data, we selected times that would affect the fewest customers.

Maintenance schedule guidelines and what to expect:

If you have questions or require more information about these maintenance windows, contact your account manager or DigiCert Support.

DigiCert will perform scheduled maintenance on December 6, 2025, 17:00 - 19:00 CET (16:00 - 18:00 UTC).

How does this affect me?

Although we have redundancies to protect your services, some DigiCert services may be unavailable during this time.

Other DigiCert services

To learn how maintenance affects other DigiCert services, such as the QuoVadis PrimoSign and SealSign signing services, see the December 6 entry in the DigiCert Europe 2025 maintenance schedule.

Parts of DigiCert’s public certificate issuance process, account creation, and individual and organization validation will be down for approximately 2 minutes while we work on our organization and individual validation services during scheduled global maintenance on December 6, 2025, 22:00 – 24:00 MST (December 7, 2025, 05:00 – 07:00 UTC). For more details on the two-minute downtime, see the December 6 entry in the 2025 global maintenance schedule.

How does this affect me?

The work on our organization and individual validation services begins at 22:00 MST (05:00 UTC). At this time, the following DigiCert services will be down for approximately 2 minutes:

Affected platforms and APIs: CertCentral, CertCentral Services API, and Certificate Issuing Service (CIS).

Affected certificates:

As certificate lifespans shrink from 397 days to just 46, now is the perfect time to automate your TLS certificate process and stay ahead of industry changes. (Learn more about the upcoming industry change.)

Introducing the new DigiCert ACME Client, a tool designed to simplify certificate installation and management, while giving advanced users the flexibility they need.

In addition to the DigiCert ACME Client, CertCentral Subscription accounts now feature a brand-new Automation interface. (Learn how to identify your CertCentral account).

The new interface:

DigiCert will perform scheduled maintenance on November 8, 2025, 17:00 - 19:00 CET (16:00 - 18:00 UTC).

How does this affect me?

Although we have redundancies to protect your services, some DigiCert services may be unavailable during this time.

Other DigiCert services

To learn how maintenance affects other DigiCert services, such as the QuoVadis PrimoSign service, see the November 8 entry in the DigiCert Europe 2025 maintenance schedule.

DigiCert will perform scheduled maintenance on November 8, 2025, 22:00 – 24:00 MST (November 9, 2025, 05:00 – 07:00 UTC).

How does this affect me?

Although we have redundancies to protect your services, some DigiCert services may be unavailable during this time.

On November 3, 2025, at 10:00 MDT (16:00 UTC), DigiCert will assign four new IP addresses to api.digicert.com. For information, see our knowledge base article, DigiCert IP addresses for api.digicert.com.

What do I need to do to prepare for the new dedicated IP addresses?

If you don’t use api.digicert.com for any API integrations, or if you do use api.digicert.com but don’t use allowlist, no action is required.

If you replied yes to all three questions, then action is required. Add the new IP addresses to your allowlist by November 3, 2025. Updating your allowlist helps ensure that your api.digicert.com integrations continue to work as they did before DigiCert assigned the new IP addresses.

On October 28, 2025, you must use the static prefix _dnsauth CNAME record configuration to perform your DNS CNAME domain validation. DigiCert is ending support for the [random_value] prefix DNS CNAME record configuration

Beginning October 28, 2025, you must configure your DNS CNAME record with the static prefix _dnsauth to perform your CNAME record domain control validation (DCV). If you configure the CNAME record with the [random_value] prefix, DigiCert's CNAME record check will fail. Your domain won’t be validated, preventing DigiCert from issuing your certificate.

How does this change affect my existing domain validations done with the [random_value] prefix CNAME record configuration?

Domain validations done with the old variant ([random_value] prefix) before October 28, 2025, remain valid and can be reused to issue certificates until the domain validations expire.

However, when you revalidate these domains, you must use the new static prefix _dnsauth CNAME record configuration.

Why is DigiCert supporting just the static prefix _dnsauth CNAME record configuration?

DigiCert is deprecating the current system used for domain control validation (DCV) workflows and replacing it with our Open-Source Domain Control Validation code. As part of this effort, we’re simplifying DCV methods and eliminating some variants. Our Open Source DCV code has undergone independent review offering greater transparency and improved performance.

Resources

On October 27, 2025, at 10:00 MDT (16:00 UTC), DigiCert will assign four new IP addresses to api.digicert.com. For information, see our knowledge base article, DigiCert IP addresses for api.digicert.com.

On October 13, 2025, from 19:30 to 20:00 MDT (October 14, 01:30 to 02:00 UTC), DigiCert will perform maintenance on our site seal service. During this time, DigiCert's site seal service may be unavailable for several minutes.

How does this affect me?

Do you display the DigiCert Smart Seal or one of the DigiCert brand site seals on your website?

What do I need to do?

Nothing. When we finish our work, your DigiCert Smart Seal, and DigiCert brand site seals should reappear on your website.

Need help?

If you have questions or concerns about the site seal downtime, contact your account manager or DigiCert Support.

DigiCert will perform scheduled maintenance on October 11, 2025, 17:00 - 19:00 CEST (15:00 - 17:00 UTC).

How does this affect me?

Although we have redundancies to protect your services, some DigiCert services may be unavailable during this time.

Other DigiCert services

To learn about the impact of the October 11 maintenance on other DigiCert services, such as the ADSS signing service, see the Saturday, October 11 entry in the DigiCert Europe 2025 maintenance schedule.

DigiCert will perform scheduled maintenance on October 11, 2025, 22:00 – 24:00 MDT (October 12, 2025, 04:00 – 06:00 UTC).

How does this affect me?

Although we have redundancies to protect your services, some DigiCert services may be unavailable during this time.

Beginning October 1, 2025, DigiCert will stop including the Client Authentication extended key usage (EKU) in public TLS certificates by default and issue these certificates with just the Server Authentication EKU.

What do I need to do?

If using your TLS/SSL certificates solely for securing websites (HTTPS), then no action is required. However, DigiCert recommends reviewing your TLS certificate process to verify that it just includes securing websites.

If you use your public TLS certificates to authenticate clients to a server, such as users or devices, action is required. You can still include the Client Authentication EKU in your certificates until May 1, 2026. However, you must do so proactively while requesting a TLS certificate in CertCentral or via the CertCentral Services API (application programming interface).

DigiCert recently added new EKU options to our public TLS certificate process. These options allow you to include the Server Authentication and Client Authentication EKUs in your certificates. See the August 12, 2025, change log entry.

CertCentral Resources

Why is DigiCert going to stop including the client authentication EKU in public TLS certificates by default?

This change aligns with Google Chrome’s root program requirements to enhance security and promote interoperability. For more information about DigiCert's timeline for phasing out the Client Authentication EKU, read our article about sunsetting the client authentication EKU.

In CertCentral, we updated the Domains and the domain details pages making it easier to discover the following domain control validation (DCV) information about each domain:

Domains page

On the Domains page, we removed the DCV method column and replaced it with two new columns: Current DCV method and Last completed DCV method. Now, from the Domains page, you can quickly verify the last and current validation methods used to validate the domain.

Domain details page

On the domain details page, in the information panel and Domain details section, we removed the DCV method entry and replaced it with two entries: Current DCV method and Last completed DCV method. Now, when on the domain’s details page, quickly find the last DCV method and current DCV method used to validate the domain.

See for yourself

1. In CertCentral, in the left menu, go to Certificates > Domains.

   For CertCentral Subscriptions accounts, in the left menu, go to Validation > Domains.

2. On the Domains page, you now see the two new columns: Current DCV method and Last completed DCV method.

3. In the Domain name column, select a domain link.

4. On the domain details page, in the information panel and the Domain details section, you now see the new entries: Current DCV method and Last completed DCV method.

Domains page

Domain details page

DigiCert fixed an issue where CertCentral wasn't consistently enforcing the list of allowed domains for a division. This bug affected certificate request submitted via CertCentral and the Services API (application programming interface).

With this update, certificate requests within a division can’t include unapproved domains.

To make it easier to get a certificate with Linux formatting, DigiCert has introduced a new setting for all our certificates: Use Linux newlines for certificate formatting instead of Windows formatting.

By default, DigiCert uses the Windows formatting for our certificates. Previously, to get a certificate with Linux formatting, you had to convert it manually or use a program that modified the formatting for you.

With this new setting, if your certificate process requires Linux formatting, you can configure a product setting to download the certificate with Linux newline format.

See for yourself

You must be a CertCentral administrator to view and edit a product's settings.

Why should I use Linux newlines formatting?

Use Linux formatting if your platform or system just supports Linux newlines, or if you’re a former QuoVadis TrustLink Enterprise customer.

On September 22, 2025, DigiCert will add a secondary CDN (content delivery network) with more dedicated IPv4 addresses for specific services.

To learn more about these IPv4 addresses and the affected services, see our knowledge base article, DigiCert Certificate Status IP Addresses.

Why is DigiCert adding a secondary CDN?

We’re adding a secondary CDN to increase global resiliency and performance.

Beginning September 22, 2025, DigiCert will only support Hypertext Transfer Protocol (HTTP)/1.0 with a proper Host header, HTTP/1.1, and HTTP/1.2 connections for Online Certificate Status Protocol (OCSP) and certificate revocation lists (CRL) checks.

Why is DigiCert making this change?

By only supporting HTTP/1.0 with a proper Host header or HTTP/1.1 and later, DigiCert aligns with modern internet standards and removes outdated limitations, such as:

On September 8, 2025, DigiCert will add a secondary CDN (content delivery network) with more dedicated IPv4 addresses for specific services.

To learn more about these IPv4 addresses and the affected services, see our knowledge base article, DigiCert Certificate Status IP Addresses.

Beginning September 22, 2025, DigiCert will only support HTTP/1.0 connections with a proper Host header, as well as HTTP/1.1 and HTTP/1.2, for Online Certificate Status Protocol (OCSP) and certificate revocation lists (CRL) checks.

DigiCert will perform scheduled maintenance on September 6, 2025, 17:00 - 19:00 CEST (15:00 - 17:00 UTC).

How does this affect me?

Although we have redundancies to protect your services, some DigiCert services may be unavailable during this time.

Other DigiCert services

To learn how the September 6 maintenance affects other DigiCert services, such as the ADSS and PrimoSign signing services, see the DigiCert Europe 2025 maintenance schedule.

What can I do?

Plan accordingly:

Services are restored when the maintenance is finished.

DigiCert will perform scheduled maintenance on September 6, 2025, 22:00 – 24:00 MDT (September 7, 2025, 04:00 – 06:00 UTC).

How does this affect me?

Although we have redundancies to protect your services, some DigiCert services may be unavailable during this time.

What can I do?

Plan accordingly:

Services are restored when the maintenance is finished.

DigiCert updated the certificate request approval process in CertCentral. We no longer require administrators and managers to be “verified contacts” or “authorized representatives” for an organization to approve certain types of certificate requests.

Previously, administrators and managers needed to be “verified contacts” or “authorized representatives” for an organization. This requirement often caused delays in the certificate issuance process when:

With this change, administrators and managers can now approve certificate requests—such as for extended validation (EV) TLS or PKIo Private Services Server—without needing to be verified contacts or authorized representatives. However, if the person approving the certificate request is a verified contact or authorized representative for the organization in the certificate, their approval also serves as an order approval, enabling DigiCert to process and issue the certificate.

Background

Beginning September 1, 2025, DigiCert will enhance its certificate validation process by implementing the next phase of Multi-Perspective Issuance Corroboration (MPIC) per CA/Browser Forum requirements.

Corroboration means multiple network perspectives must return the same domain name system (DNS) record details or website file contents before the domain can be considered validated and the certificate can be issued.

MPIC requirements apply to both domain control validation (DCV) and Certificate Authority Authorization (CAA) checks. For more details about this change and what you need to do to prepare, read our knowledge base article.

How does the MPIC process work?

DigiCert conducts a standard domain validation and CAA record check from our primary network. We then repeat this check six times from more remote locations, each on different networks in different geographical regions.

To verify your domain control, pass the CAA checks, and issue a certificate, at least four of the six remote locations must confirm the details obtained from the primary network.

This redundancy provides stronger protection against security threats that helps catch and block unauthorized attempts to intercept or alter data as it travels across networks. For you, this means enhanced security and increased confidence that only authorized parties can obtain certificates for your domains.

What do I need to do?

To prepare for MPIC, you should have little to do before we implement this new process on September 1, 2025. However, depending on the DCV method you’re using, there may be specific tasks you must finish, while other aspects may relate more to troubleshooting.

Start by auditing your current validation setup. Verify what DCV methods you’re using. Are you using the HTTP Practical demonstration, DNS TXT record, or Email to CAA contact?

Learn more:

From August 12, 2025, to May 1, 2026, CertCentral is providing two new extended key usage (EKU) options on the public TLS/SSL certificate request forms under Additional certificate options.

Available extended key usage (EKU) options

You can customize which option is selected by default from your TLS certificate’s Product Setting page in CertCentral.

Default Extended Key Usage menu options

Resources

Background

For more information about DigiCert's timeline for phasing out the Client Authentication EKU in our public TLS certificates, read our knowledge base article about sunsetting the client authentication EKU.

DigiCert is updating its Secure Email and Document Signing product names to provide better clarity.

API product identifiers

The product name change doesn’t affect the product identifiers (IDs). Continue to use these product IDs to order these certificates via the CertCentral Services API.

DigiCert fixed a bug in the Orders endpoints where the organization ID wasn’t always included in the response if creating a new organization as part of the order. This bug affected the order endpoints that include an organization in the request, such as Order Basic OV and Order code signing certificate. The bug didn’t affect endpoints that don’t include an organization in the request, such as Order GeoTrust DV SSL.

Now, if you create a new organization as part of your certificate request, the new organization’s ID is always included in the response.

DigiCert will perform scheduled maintenance on August 9, 2025, 17:00 - 19:00 CEST (15:00 - 17:00 UTC).

How does this affect me?

Although we have redundancies to protect your services, some DigiCert services may be unavailable during this time.

Other DigiCert services

To learn about the impact of the August 9 maintenance on other DigiCert services, such as the ADSS and SealSign signing services, see the Saturday, August 9 entry in the DigiCert Europe 2025 maintenance schedule.

What can I do?

Plan accordingly:

Services are restored once the maintenance is finished.

DigiCert will perform scheduled maintenance on August 9, 2025, 22:00 – 24:00 MDT (August 10, 2025, 04:00 – 06:00 UTC).

How does this affect me?

Although we have redundancies to protect your services, some DigiCert services may be unavailable during this time.

Other DigiCert services

To learn about the impact of the August 9 maintenance on other DigiCert services, such as Document Trust Manager, see the Saturday, August 9 entry in the DigiCert Global 2025 maintenance schedule.

What can I do?

Plan accordingly:

Services are restored once the maintenance is finished.

Beginning July 23, 2025, DigiCert automatically truncates the validity of certificates issued from the intermediate CA (ICA) certificates in the table below. All affected certificates are set to expire no later than May 14, 2026. This expiration date ensures these certificates expire before the scheduled revocation date of May 15, 2026. See the May 15, 2026, change log entry.

What if I don't want certificates with a truncated validity?

To get certificates that expire after May 14, 2026, use the replacement/new intermediate certificate to issue your certificates. To find your certificate’s replacement ICA certificate, see the Intermediate CA certificate and their associated end-entity certificates to be revoked on May 15, 2026 table in our knowledge base article.

Why is DigiCert moving to dedicated TLS root hierarchies

The Google Chrome Root Program requires Certificate Authorities (CAs) to use dedicated TLS root hierarchies for issuing public TLS certificates.

To enhance digital trust and comply with the evolving requirements of browser root programs, DigiCert is transitioning to single-purpose root hierarchies dedicated to issuing public TLS end-entity certificates.

Additional information

DigiCert will perform scheduled maintenance on July 12, 2025, 17:00 - 19:00 CEST (15:00 - 17:00 UTC).

How does this affect me?

Although we have redundancies to protect your services, some DigiCert services may be unavailable during this time.

Other DigiCert services

To learn how the July 12 maintenance effects the Legacy QuoVadis PrimoSign signing service, see the Saturday, July 12 entry in the DigiCert Europe 2025 maintenance schedule.

What can I do?

Plan accordingly:

Services will be restored once the maintenance is finished.

DigiCert will perform scheduled maintenance on July 12, 2025, 22:00 – 24:00 MDT (July 13, 2025, 04:00 – 06:00 UTC).

How does this affect me?

Although we have redundancies to protect your services, some DigiCert services may be unavailable during this time.

Other DigiCert services

To learn how the July 12 maintenance effects the DigiCert ONE United States location, see the Saturday, July 12 entry in the DigiCert Global 2025 maintenance schedule.

What can I do?

Plan accordingly:

Services will be restored once the maintenance is finished.

On July 10, 2025, at 11:00 MDT (17:00 UTC), DigiCert will no longer accept S/MIME certificate requests using the Legacy certificate profile. All new S/MIME certificate requests must use the Strict or Multipurpose certificate profile (the S/MIME baseline requirements refer to these as Generation profiles). This change affects new, renewed, and reissued certificate requests. To learn more about this change, see our knowledge base article, New Certificate Profile Requirements for Public Secure Email (S/MIME) Certificates 2025.

How does the new certificate profile requirement affect my public S/MIME certificates?

What can I do?

On July 10, 2025, at 11:00 MDT (17:00 UTC), DigiCert will no longer issue S/MIME certificates using the Legacy certificate profile. To learn more about this change, see our knowledge base article, New Certificate Profile Requirements for Public Secure Email (S/MIME) Certificates 2025.

How does this affect me?

DigiCert will never issue your pending S/MIME certificate with the Legacy certificate profile. If you no longer need the certificate, cancel the pending order.

If you still need the S/MIME certificate, cancel the pending order and then do the following as needed:

On July 8, 2025, DigiCert will stop reusing existing WHOIS-based domain validations, regardless of whether previously obtained information is within the allowed 397-day reuse period and regardless of the WHOIS method.

These changes affect all web-based WHOIS domain validations, including the following certificate types: TLS, Verified Mark and Common Mark, Secure Email (S/MIME), DirectAssured, and DirectTrust. See End of life for WHOIS-based DCV methods.

How does this affect me?

Have you used WHOIS-based Email or Phone DCV methods to validate your domains? Then you will need to revalidate your domains the next time you want to get a certificate.

What do I need to do?

Do you rely on immediate certificate issuance?

Why will DigiCert stop reusing existing WHOIS-based domain validations?

The industry recently adopted Ballot SC-80v3: Sunset the Use of WHOIS to Identify Domain Contacts and Relying DCV Methods. To comply with industry changes mandated by the ballot, certificate authorities (CAs), such as DigiCert, must stop using WHOIS to identify domain contacts for email, fax, SMS, postal mail, and phone domain control validation (DCV) methods. Note that DigiCert only supports the email and phone WHOIS-based DCV methods.

References

On July 8, 2025, at 11:00 MDT (17:00 UTC), DigiCert will no longer accept S/MIME certificate requests using the Legacy certificate profile. All new S/MIME certificate requests must use the Strict or Multipurpose certificate profile (the S/MIME baseline requirements refer to these as Generation profiles).

On July 8, 2025, at 11:00 MDT (17:00 UTC), DigiCert will no longer issue S/MIME certificates using the Legacy certificate profile.

On July 1, 2025, at 11:00 MDT (17:00 UTC), DigiCert will no longer accept S/MIME certificate requests using the Legacy certificate profile. All new S/MIME certificate requests must use the Strict or Multipurpose certificate profile (the S/MIME baseline requirements refer to these as Generation profiles).

DigiCert is excited to announce the release of its new X9 PKI for TLS product. The X9 PKI for TLS certificate is perfect for organizations that depend on TLS certificates for secure host-to-host communications, including mutual TLS (mTLS), APIs, and other non-web browser use cases.

Please contact your account representative or DigiCert Support today, to enable the X9 PKI for TLS product in your CertCentral account.

How the X9 PKI for TLS certificate came to be

Regulated by the ASC X9 standards body, DigiCert's X9 PKI for TLS certificate is governed by an independent certificate policy that is not affiliated with any browsers while ensuring interoperability through a common root of trust.

Your X9 PKI  for TLS certificate supports client and server authentication Extended Key Usage (EKUs), addressing today's unique demands for control, security, flexibility, and scalability with encryption, identity verification, and cross-certification. Learn more about X9 PKI and schedule a consultation.

CertCentral resources

CertCentral Services API resources

DigiCert will perform scheduled maintenance on June 7, 2025, 17:00 - 19:00 CEST (15:00 - 17:00 UTC).

How does this affect me?

Although we have redundancies to protect your services, some DigiCert services may be unavailable during this time.

Other DigiCert services

To learn more about the impact of the June 7 maintenance on other DigiCert services, such as the ADSS and PrimoSign signing services, see the Saturday, June 7 entry in the DigiCert Europe 2025 maintenance schedule.

What can I do?

Plan accordingly:

Service will be restored as soon as maintenance is completed.

DigiCert will perform scheduled maintenance on June 7, 22:00 – 24:00 MDT (June 8, 04:00 – 06:00 UTC).

How does this affect me?

Although we have redundancies to protect your services, some DigiCert services may be unavailable during this time.

Other DigiCert services

To learn more about the impact of the June 7 maintenance on other DigiCert services, such as Document Trust Manager and the PrimoSign signing service, see the Saturday, June 7 entry in the DigiCert Global 2025 maintenance schedule.

What can I do?

Plan accordingly:

Services will be restored as soon as the maintenance is completed.

In CertCentral, we added the ability to download a revoked certificate. From the certificate's Order # details page, you can now download a revoked certificate. In the CertCentral Services API, you can now use the existing download certificate endpoints to download a revoked certificate. More details below.

DigiCert will perform scheduled maintenance on May 10, 2025, 17:00 - 19:00 CEST (15:00 - 17:00 UTC).

How does this affect me?

Although we have redundancies to protect your services, some DigiCert services may be unavailable during this time.

Other DigiCert services

To learn more about the impact of the May 10 maintenance on other DigiCert services, such as the PrimoSign signing service, see the Saturday, May 10 entry in the DigiCert Europe 2025 maintenance schedule.

What can I do?

Plan accordingly:

Services will be restored as soon as the maintenance is completed.

DigiCert will perform scheduled maintenance on May 10, 2025, 22:00 – 24:00 MDT (May 11, 2025, 04:00 – 06:00 UTC).

How does this affect me?

Although we have redundancies to protect your services, some DigiCert services may be unavailable during this time.

Other DigiCert services

To learn more about the impact of the May 10 maintenance on other DigiCert services, such as the Trust Lifecycle Manager and DigiCert ONE, see the Saturday, May 10 entry in the DigiCert Global 2025 maintenance schedule.

What can I do?

Plan accordingly:

Services will be restored as soon as the maintenance is completed.

On May 8, 2025, DigiCert will no longer support WHOIS-based DCV email and phone methods. DigiCert systems will stop querying WHOIS entirely for domain validations.

These changes affect all web-based WHOIS domain validations, including the following certificate types: TLS, Verified Mark and Common Mark, Secure Email (S/MIME), DirectAssured, and DirectTrust. See End of life for WHOIS-based DCV methods.

How does this affect me?

Are you using WHOIS-based Email or Phone DCV methods?

Then, the next time you validate your domains, you must use a different DCV method, such as DNS Text Record. If you want to continue to use DCV email, set up a DNS TXT Email Contact or a Constructed Email address.

Why will DigiCert end support for new WHOIS-based domain validations?

The industry recently adopted Ballot SC-80v3: Sunset the Use of WHOIS to Identify Domain Contacts and Relying DCV Methods. To comply with industry changes mandated by the ballot, certificate authorities (CAs), such as DigiCert, must stop using WHOIS to identify domain contacts for email, fax, SMS, postal mail, and phone domain control validation (DCV) methods. Note that DigiCert only supports the email and phone WHOIS-based DCV methods.

References

DigiCert will perform scheduled maintenance on April 12, 2025, 17:00 - 19:00 CEST (15:00 - 17:00 UTC).

How does this affect me?

Although we have redundancies to protect your services, some DigiCert services may be unavailable during this time.

Other DigiCert services

To learn more about the impact of the April 12 maintenance on other DigiCert services, such as the ADSS and PrimoSign signing services, see the Saturday, April 12 entry in the DigiCert Europe 2025 maintenance schedule.

What can I do?

Plan accordingly:

Services will be restored as soon as the maintenance is completed.

DigiCert will perform scheduled maintenance on April 12, 2025, 22:00 – 24:00 MDT (April 13, 2025, 04:00 – 06:00 UTC).

How does this affect me?

Although we have redundancies to protect your services, some DigiCert services may be unavailable during this time.

Other DigiCert services

We canceled the maintenance, which was to affect other DigiCert services. To learn more, see the Saturday, April 12 entry in the DigiCert Global 2025 maintenance schedule.

What can I do?

Plan accordingly:

Services will be restored as soon as the maintenance is completed.

We are happy to announce the release of our new Document Signing products. Starting March 19, DigiCert will offer three new Document Signing certificates to apply electronic signatures or seals:

Your electronic signature or seal certifies the document's origin, authenticity, and integrity, assuring the recipient that the document is from you and has not been altered.

Our new Document Signing certificates:

Learn more about DigiCert’s new document signing products, Document Signing products.

DigiCert is deprecating our older Document Signing products: Document Signing - Individual (500/2000) and Document Signing – Organization (2000/5000) certificates.

On March 19, we replaced the legacy document signing products in CertCentral with the new ones. When you renew or reissue a legacy document signing certificate, we will redirect you to its replacement certificate.

Legacy certificate replacements

How will the renewal and reissue processes work?

To learn more about the legacy certificate replacements, see the Legacy DigiCert Document Signing products section on the Document Signing products page.

Starting March 13, 2025, at 10:00 MDT (16:00 UTC), before DigiCert issues your Secure Email (S/MIME) certificates, we must check, process, and abide by your email domains’ DNS Certification Authority Authorization (CAA) resource records. To learn more about why we are making this change, see Why DigiCert will check CAA Resource Records before issuing Secure Email (S/MIME) certificates below.

We are happy to announce that we are working on a new command center to track and complete the domain and organization validation tasks for your pending TLS certificate order.

What’s changed?

The new, interactive design for the "Need to Do" domain and organization validation checklists allows you to quickly sort and filter pending and completed tasks, making it easier to complete the validation tasks for your pending certificate order. Additionally, we included more information about the organization tasks, making it easier to understand what DigiCert needs to do and how you can help.

Try it out today. Then, let us know what you think by completing the survey in CertCentral. Your feedback is vital as we continue to develop the new validation experience.

Check it out

DigiCert will perform scheduled maintenance on March 1, 2025, 17:00 - 19:00 CET (16:00 - 18:00 UTC).

How does this affect me?

Although we have redundancies to protect your services, some DigiCert services may be unavailable during this time.

Other DigiCert services

To learn more about the impact of the March 1 maintenance on other DigiCert services, such as DigiCert​​®​​ Document Trust Manager, see the Saturday, March 1 entry in the DigiCert Europe 2025 maintenance schedule.

What can I do?

Services will be restored as soon as the maintenance is completed.

DigiCert will perform scheduled maintenance on March 1, 2025, 22:00 – 24:00 MST (March 2, 2025, 05:00 – 07:00 UTC).

How does this affect me?

Although we have redundancies to protect your services, some DigiCert services may be unavailable during this time.

What can I do?

Plan accordingly:

Services will be restored as soon as the maintenance is completed.

DigiCert must perform a critical upgrade on the ADSS signing service on February 15, 2025, 02:00 to 06:00 CET (01:00 – 05:00 UTC). During this time, the ADSS signing service in our DigiCert® Document Trust Manager Netherlands location will be down for approximately four hours.

How does this affect me?

The ADSS signing service upgrade starts at 02:00 CET (01:00 UTC). From 02:00 to 06:00 CET (01:00 – 05:00 UTC), the ADSS signing services will be down for approximately four hours.

Affected services

What can I do?

Plan accordingly:

Services will be restored as soon as the maintenance is completed.

On February 13, 2025, at 23:30 MST (February 14, at 06:30 UTC), DigiCert will replace the QuoVadis timestamping certificate. Additionally, we will issue the timestamping certificate from a different intermediate CA (ICA) certificate.

How does this affect me?

Please check your current timestamp usage for dependencies on the timestamp certificate and its issuing ICA certificate.

Does this affect my existing signatures?

No. Rolling out a new timestamping certificate does not affect your existing signatures. Timestamped signatures will remain valid, secure, and trusted.

References

On February 12, 2025, at 23:30 MST (February 13, at 06:30 UTC), DigiCert will replace the QuoVadis timestamping certificate. Additionally, we will issue the timestamping certificate from a different intermediate CA (ICA) certificate.

DigiCert removed the Mark details section from the Verified Mark and Common Mark Certificate request forms and these certificates’ pending Order details pages.

Why did DigiCert remove the Mark details section?

Logo verification

DigiCert must still verify your logo before we can issue your Mark Certificate.

References

On February 6, 2025, at 23:30 MST (February 7, at 06:30 UTC), DigiCert will replace the QuoVadis timestamping certificate. Additionally, we will issue the timestamping certificate from a different intermediate CA (ICA) certificate.

Now, when you order a Secure Email for Individual, Business, or Organization certificate, you will see a Profile options menu with three profiles to choose from: Strict, Multipurpose, and Legacy.

The selected profile affects the certificate validity and the supported certificate usages. The profile may also affect what recipient information you must and can include in the certificate:

Why does DigiCert offer three profiles?

The S/MIME Baseline Requirements currently support three profiles for Secure Email (S/MIME) certificates: Strict, Multipurpose, and Legacy.

DigiCert still supports the Legacy profile for various backward compatibility use cases, including client authentication and/or document signing. If you only use the Legacy profile because you require the additional certificate usages, we recommend moving to the newer Multipurpose profile.

Learn more

For more information about ordering your Secure Email certificate:

The ADSS signing service, PrimoSign signing service, and legacy QuoVadis certificate issuance will be down during scheduled Europe maintenance on February 1, 2025, 17:00 - 19:00 CET (16:00 - 18:00 UTC).

How does this affect me?

Affected services:

What can I do?

Plan accordingly:

Services will be restored as soon as the maintenance is completed.

DigiCert® PKI Platform 8 will experience brief and periodic maintenance-related service interruptions during scheduled maintenance on February 1, 2025, 22:00 – 24:00 MST (February 2, 05:00 – 07:00 UTC).

How does this affect me?

The PKI Platform 8 maintenance starts at 22:00 MST (05:00 UTC). From 22:00 to 24:00 MST (05:00 to 07:00 UTC), PKI Platform 8 will experience brief and periodic service interruptions.

Affected services

PKI Platform 8

API notes

What can I do?

Plan accordingly:

Services will be restored as soon as the maintenance is completed.

The ADSS signing service, PrimoSign signing service, and some QuoVadis services will be down during scheduled Europe maintenance on January 11, 2025, 17:00 - 19:00 CET (16:00 - 18:00 UTC).

How does this affect me?

Affected services:

What can I do?

Plan accordingly:

Services will be restored as soon as the maintenance is completed.

The PrimoSign signing services will be down for approximately 60 minutes during scheduled Global maintenance on January 11, 2025, 22:00 – 24:00 MST (January 12, 05:00 – 07:00 UTC).

How does this affect me?

The maintenance starts at 22:00 MST (05:00 UTC). At this time, the PrimoSign signing services will be down for approximately 60 minutes.

Affected services

Document Trust Manager's PrimoSign signing service in the DigiCert® ONE USA location.

What can I do?

Plan accordingly:

Services will be restored as soon as the maintenance is completed.

On January 10, 2025, at 08:00 MST (15:00 UTC), DigiCert must assign new dedicated IPv4 addresses to several services. We will also remove support for IPv6 addresses at this time.

Why is DigiCert adding moving to new dedicated IPv4 addresses and removing support for IPv6 addresses?

Our current CDN (content delivery network) is discontinuing its services, forcing us to move to a new service platform before the services end, which is why we are unable to provide you with more time to prepare. When we move to our new CDN, we will focus only on IPv4 addresses and remove support for IPv6 addresses.

For more details about the new dedicated IPv4 addresses, see our knowledge base article, DigiCert Certificate Status IP Addresses.

What do I need to do?

Does your company use allowlists?

Affected platforms:

Affected services:

On January 8, 2025, DigiCert will make the following changes to our domain validation process per new industry requirements:

These changes affect all web-based WHOIS domain validations, including the following certificate types: TLS, Verified Mark and Common Mark, Secure Email (S/MIME), DirectAssured, and DirectTrust. See End of life for WHOIS-based DCV methods.

How does this affect me?

Are you using the WHOIS-based Email or Phone DCV methods to validate your domains, and has DigiCert’s automated WHOIS lookup ever failed to retrieve your desired email address for your domains?

If you answered yes to both questions above, then you are probably impacted. Starting January 8, your email or phone domain control validation could fail if it relies on a manual/HTTPS web-based WHOIS lookup by our validation agents.

What do I need to do?

Do you rely on immediate certificate issuance?

Why will DigiCert stop using manual/HTTPS web-based WHOIS lookups and reusing existing domain validations where a manual/HTTPS web-based WHOIS lookup was used?

The industry recently adopted Ballot SC-80v3: Sunset the Use of WHOIS to Identify Domain Contacts and Relying DCV Methods. To comply with industry changes mandated by the ballot, certificate authorities (CAs), such as DigiCert, must stop using WHOIS to identify domain contacts for email, fax, SMS, postal mail, and phone domain control validation (DCV) methods. Note that DigiCert only supports the email and phone WHOIS-based DCV methods.

References