CertCentral to issue GeoTrust and RapidSSL DV certificates from new intermediate CA certificates
On May 24, 2022, between 9:00 am and 11:00 am MDT (3:00 pm and 5:00 pm UTC), DigiCert will replace the GeoTrust and RapidSSL intermediate CA (ICA) certificates listed below. We can no longer issue maximum validity (397-day) DV certificates from these intermediates.
Old ICA certificates
New ICA certificates
See the DigiCert ICA Update KB article.
How does this affect me?
Rolling out new ICA certificates does not affect your existing DV certificates. Active certificates issued from the replaced ICA certificates will remain trusted until they expire.
However, all new certificates, including certificate reissues, will be issued from the new ICA certificates. To ensure ICA certificate replacements go unnoticed, always include the provided ICA certificate with every TLS certificate you install.
No action is required unless you do any of the following:
Action required
If you practice pinning, hard code acceptance, or operate a trust store, update your environment as soon as possible. You should stop pinning and hard coding ICA certificates or make the necessary changes to ensure your GeoTrust DV and RapidSSL DV certificates issued from the new ICA certificates are trusted. In other words, make sure they can chain up to their new ICA certificate and trusted root.
See the DigiCert Trusted Root Authority Certificates page to download copies of the new Intermediate CA certificates.
What if I need more time?
If you need more time to update your environment, you can continue to use the old 2020 ICA certificates until they expire. Contact DigiCert Support, and they can set that up for your account. However, after May 31, 2022, RapidSSL DV and GeoTrust DV certificates issued from the 2020 ICA certificates will be truncated to less than one year.
CertCentral Report Library now available
We are happy to announce the CertCentral Report Library is now available for CertCentral Enterprise and CertCentral Partner.* The Report Library is a powerful reporting tool that allows you to download more than 1000 records at a time. Use the Report Library to build, schedule, organize, and export reports to share and reuse.
The Report Library includes six customizable reports: Orders, Organizations, Balance history, Audit log, Domains, and Fully qualified domain names (FQDN). When building reports, you control the details and information that appear in the report, configure the columns and column order, schedule how often you want the report to run (once, weekly, or monthly), and choose the report format (CSV, JSON, or Excel). In addition, you receive notices when the report is ready for download in your account.
To build your first report:
To learn more about building reports:
*Note: Don't see the Report Library in your account? Contact your account manager or our support team for help.
CertCentral Report Library API also available
We're pleased to announce the release of the CertCentral Report Library API! This new API service makes it possible to leverage key features of the Report Library in your CertCentral API integrations, including building reports and downloading report results*.
See our Report Library API documentation to learn more about including the Report Library in your API integrations.
*Note: To use the CertCentral Report Library API, Report Library must be enabled for your CertCentral account. For help activating the Report Library, contact your account manager or our support team.
Bugfix: Unique organization name check did not include assumed name
We updated our unique organization name check to include the assumed name (doing business as name) when creating an organization.
Before, in CertCentral and the CertCentral Services API, when you tried to create an organization with the same name as an existing organization, we returned an error and would not let you create the organization, even if the assumed name (DBA) was different.
Now, when you create an organization, we include the assumed name in the unique organization check. Therefore, you can create organizations with the same name, as long as each organization has a unique assumed name.
For example:
Creating organizations
In CertCentral and the CertCentral Services API, you can create an organization to submit for prevalidation or when you order a TLS/SSL certificate. This change applies to both processes.
CertCentral: DigiCert now issues client certificates from the DigiCert Assured ID Client CA G2 intermediate CA certificate
To remain compliant with industry standards, DigiCert had to replace the intermediate CA (ICA) certificate used to issue CertCentral client certificates.
CertCentral client certificate profiles that used the DigiCert SHA2 Assured ID CA intermediate CA certificate now use the DigiCert Assured ID Client CA G2 intermediate CA certificate. This change also changes the root certificate from DigiCert Assured ID Root CA to DigiCert Assured ID Root G2.
Old ICA and root certificates
New ICA and root certificates
For more information, see DigiCert ICA Update. To download a copy of the new intermediate CA certificate, see DigiCert Trusted Root Authority Certificates.
Do you still need your client certificate to chain to the DigiCert Assured ID Root CA certificate? Contact your account representative or DigiCert Support.
Industry moves to 3072-bit key minimum RSA code signing certificates
Starting May 27, 2021, to comply with new industry standards for code signing certificates, DigiCert will make the following changes to our code signing certificate process.
See Appendix A in the Baseline Requirements for the Issuance and Management of Publicly-Trusted Code Signing Certificates to learn more about these industry changes,
How do these changes affect my existing 2048-bit key certificates?
All existing 2048-bit key size code signing certificates issued before May 27, 2021, will remain active. You can continue to use these certificates to sign code until they expire.
What if I need 2048-bit key code signing certificates?
Take these actions, as needed, before May 27, 2021:
How do these changes affect my code signing certificate process starting May 27, 2021?
Reissues for code signing certificate
Starting May 27, 2021, all reissued code signing certificates will be:
New and renewed code signing certificates
Starting May 27, 2021, all new and renewed code signing certificates will be:
CSRs for code signing certificates
Starting May 27, 2021, you must use a 3072-bit RSA key or larger to generate all certificate signing requests (CSR). We will no longer accept 2048-bit key CSRs for code signing certificate requests.
eTokens for EV code signing certificates
Starting May 27, 2021, you must use an eToken that supports 3072-bit keys when you reissue, order, or renew an EV code signing certificate.
HSMs for EV code signing certificates
Starting May 27, 2021, you must use an HSM that supports 3072-bit keys. Contact your HSM vendor for more information.
New ICA and root certificates
Starting May 27, 2021, DigiCert will issue all new code signing certificates from our new RSA and ECC intermediate CA and root certificates (new, renewed, and reissued).
RSA ICA and root certificates:
ECC ICA and root certificates:
No action is required unless you practice certificate pinning, hard code certificate acceptance, or operate a trust store.
If you do any of these things, we recommend updating your environment as soon as possible. Stop pinning and hard coding ICAs or make the necessary changes to ensure certificates issued from the new ICA certificates are trusted (in other words, they can chain up to their issuing ICA and trusted root certificates).
References
If you have questions or concerns, please contact your account manager or our support team.
CertCentral Services API: Auto-reissue support for Multi-year Plans
We are happy to announce that the CertCentral Services API now supports automatic certificate reissue requests (auto-reissue) for Multi-year Plans. The auto-reissue feature makes it easier to maintain SSL/TLS coverage on your Multi-year Plans.
You can enable auto-reissue for individual orders in your CertCentral account. When auto-reissue is enabled, we automatically create and submit a certificate reissue request 30 days before the most recently issued certificate on the order expires.
Enable auto-reissue for a new order
To give you control over the auto-reissue setting for new Multi-year Plans, we added a new request parameter to the endpoints for ordering DV, OV, and EV TLS/SSL certificates: auto_reissue
.
By default, auto-reissue is disabled for all orders. To enable auto-reissue when you request a new Multi-year Plan, set the value of the auto_reissue
parameter to 1
in the body of your request.
Example request body:
Note: In new order requests, we ignore the auto_reissue
parameter if:
Update auto-reissue setting for existing orders
To give you control over the auto-reissue setting for existing Multi-year Plans, we added a new endpoint: Update auto-reissue settings. Use this endpoint to enable or disable the auto-reissue setting for an order.
Get auto-reissue setting for an existing order
To help you track the auto-reissue setting for existing certificate orders, we added a new response parameter to the Order info endpoint: auto_reissue
. The auto_reissue
parameter returns the current auto-reissue setting for the order.
ICA certificate chain selection for public DV flex certificates
We are happy to announce that select public DV certificates now support Intermediate CA certificate chain selection:
You can add a feature to your CertCentral account that enables you to control which DigiCert ICA certificate chain issues the end-entity certificate when you order these public DV products.
This feature allows you to:
Configure ICA certificate chain selection
To enable ICA selection for your account:
For more information and step-by-step instructions, see the Configure the ICA certificate chain feature for your public TLS certificates.
DigiCert Services API: DV certificate support for ICA certificate chain selection
In the DigiCert Services API, we made the following updates to support ICA selection in your DV certificate order requests:
Pass in the issuing ICA certificate's ID as the value for the ca_cert_id parameter in your order request's body.
Example DV certificate request:
For more information about using ICA selection in your API integrations, see DV certificate lifecycle – Optional ICA selection.
DigiCert va cesser d'émettre certificats de signature de code en SHA-1
Le mardi 1er décembre 2020 HNR, DigiCert cessera d'émettre des certificats de signature de code SHA-1 et des certificats de signature de code EV SHA-1.
Remarque : Tous les certificats de signature de code/signature de code EV en SHA-1 resteront actifs jusqu'à leur expiration.
Pourquoi ces changements de la part de DigiCert ?
Pour respecter les nouvelles normes en vigueur dans l’industrie, les autorités de certification (AC) doivent effectuer les changements suivants d'ici au 1er janvier 2021 :
Reportez-vous à l’Annexe A des Exigences de base pour l’émission et la gestion des certificats de signature de code approuvés publiquement.
En quoi les changements concernant les certificats de signature de code SHA-1 me concernent-ils ?
Si vous devez utiliser des certificats de signature de code en SHA-1, prenez les mesures suivantes, si nécessaire, avant le 1er décembre 2020 :
Pour de plus amples informations sur les changements prévus au 1er décembre 2020, consultez notre article de la base de connaissances DigiCert va cesser d'émettre des certificats de signature de code en SHA-1.
Si vous avez d'autres questions, veuillez contacter votre gestionnaire de compte ou notre équipe de support.
DigiCert va remplacer plusieurs certificats d’AC intermédiaires
Le lundi 2 novembre 2020, DigiCert remplace un autre groupe de certificats d’AC intermédiaires (ICA). Pour obtenir la liste des certificats d’ICA remplacés, consultez notre article de la base de connaissances sur les mises à jour d’ICA DigiCert.
En quoi cela me concerne-t-il ?
Le déploiement des nouvelles ICA n’a aucun effet sur les certificats existants. Nous ne supprimons pas les anciennes ICA des magasins de certificats jusqu’à ce que tous les certificats qui en dépendent aient expiré. Par conséquent, les certificats actifs émis par les ICA remplacées resteront approuvés.
Cependant, cela affectera les certificats existants si vous demandez leur réémission, car celle-ci se fera par la nouvelle ICA. Nous vous conseillons d'inclure systématiquement l’ICA fournie à tous les certificats que vous installez. Il s'agit d'une bonne pratique recommandée depuis toujours car elle garantit que les remplacements d’ICA sont totalement transparents.
Aucune action n’est requise sauf à ce que vous ayez fait l’une des actions suivantes :
Si vous êtes concerné par l’un des cas ci-dessus, nous vous conseillons de mettre à jour votre environnement aussi vite que possible. Pour vous assurer que les certificats émis par les nouvelles ICA sont approuvés (en d'autres termes, qu’ils peuvent être rattachés à leur nouvelle ICA et à la racine de confiance), évitez d’épingler ou de coder en dur les ICA, ou effectuez les changements requis
Remplacements des certificats d’AC intermédiaire
Surveillez attentivement les pages indiquées ci-dessous. Ces pages sont actives ; elles sont mises à jour régulièrement pour donner les dernières informations concernant le remplacement des certificats d’ICA et pour fournir des copies des nouveaux certificats d’AC intermédiaire DigiCert.
DigiCert va remplacer les certificats d’AC intermédiaires
Nous remplaçons les ICA pour les raisons suivantes :
Si vous avez des questions, veuillez contacter votre gestionnaire de compte ou notre équipe de support.
Sélection de la chaîne de certificats ICA pour les certificats flexibles OV et EV publics
Nous avons le plaisir d'annoncer que les certificats OV et EV à capacités flexibles permettent désormais la sélection de la chaîne de certificats d’AC intermédiaires.
Vous pouvez ajouter une option à votre compte CertCentral vous permettant de contrôler quelle chaîne de certification d’ICA DigiCert émet vos certificats "flexibles" OV et EV publics.
Cette option vous permet de .
Configurez la sélection de chaîne de certification d’ICA
Pour activer la sélection d’ICA sur votre compte, prenez contact avec votre gestionnaire de compte ou notre équipe de support. Puis, dans votre compte CertCentral, sur la page des paramètres de produit (dans le menu principal de gauche, rendez-vous dans Paramètres > Paramètres de produit), configurez les intermédiaires autorisés et par défaut pour chaque type de certificat flexible OV et EV.
Pour plus d'informations et pour obtenir des instructions pas à pas, consultez la page Option de chaîne de certificats ICA pour les certificats flexibles OV et EV publics.
Prise en charge de la sélection de chaîne de certification d’ICA par l’API Services de DigiCert
Dans l’API Services de DigiCert, nous avons effectués certains changements afin de prendre en charge la sélection d’IPA dans vos intégrations.
ca_cert_id
dans le corps de votre requête de commande.Exemple de requête de certificat flexible :
Pour plus d’informations sur l’utilisation de la sélection de l’ICA dans vos intégrations d’API, consultez la page Cycle de vie d'un certificat OV/EV – Sélection de l’ICA (facultatif).