Skip to main content

Configure ICA certificate chain selection

By default, DigiCert issues public TLS certificates from mixed SHA-256 certificate chains (SHA-1 root with SHA-256 ICA). Use ICA certificate chain selection to set a different default for organizations whose applications or policies require full SHA-256 or ECC certificate chains.

Before you begin

ICA certificate chain selection must be enabled for your account. Contact your DigiCert account manager or DigiCert support to have this feature added.

Important

  • Enabling this feature does not change your current default intermediate chain. You must set a new default manually in Product settings.

  • Changing the default ICA chain does not affect previously issued certificates or pending orders.

    • To change the ICA chain on an issued certificate, reissue the certificate.

    • To change the ICA chain on a pending order, cancel it and submit a new request.

  1. In the CertCentral main menu, go to Settings > Product settings.

  2. Configure the ICA certificate chain settings for your account or a division in your account. If you have divisions, use the division (For) dropdown to configure the ICA certificate chain selections for a division.

  3. Configure the ICA certificate chain settings for a role in your account or a division.

    1. To configure role-based ICA certificate chain selections, check Configure products by role.

    2. In the Role column, select a role: Administrator, Limited User, Finance Manager, Manager, or Standard User.

  4. Configure the default ICA certificate chain for the TLS certificate.

    1. In the Product column, select a public DV, OV, or EV TLS certificate.

    2. In the Product Settings column, in the Default intermediate chain dropdown, select the ICA certificate chain you want to issue the TLS certificate by default.

  5. Configure which ICA certificate chains are available on the TLS certificate request form. In the Product Settings column, in the Allowed intermediate chains [Intermediate CA] > [Root CA] dropdown, select the intermediate certificate chains a requester can use to issue the TLS certificate.

    Notice

    On the TLS certificate order form, the "default" chain is preselected. If the requester wants to use a different intermediate chain, they must expand the Additional certificate options section and select a different one. To remove the requester's ability to use a different ICA certificate chain, only add the default ICA certificate chain. The requester will not be able to change it.

  6. Select Save settings.

After you save, an Intermediate chains menu appears in the Additional certificate options section of all supported TLS certificate order forms. Requesters can use this to select a different chain when ordering.

Notice

Always use the intermediate CA certificate file that comes with your TLS certificate. Do not pin or hardcode ICA or root certificates. DigiCert may rotate intermediate CAs and pinned certificates will cause trust failures.

What happens next

  • Default ICA certificate chain: The next time you order the public DV, OV, or EV TLS certificate, DigiCert will use the ICA certificate chain you set as the default to issue your TLS certificate.

  • Multiple ICA certificate chains available: The next time you order the public DV, OV, or EV TLS certificate, you can select the ICA certificate chain DigiCert should use to issue your TLS certificate.

    To select a different ICA certificate chain:

    1. On the certificate request form, expand Additional certificate options.

    2. In the Intermediate chains [Intermediate CA] > [Root CA] dropdown, select an ICA certificate chain to issue the TLS certificate.

What's next

Set the certificate validTo time to configure certificate end date behavior

In this section: