Change log | docs.digicert.com

5月 24, 2022

reissued certificates new certificates ICAs DV SSL certificates intermediate CA certificates compliance New GeoTrust RapidSSL

CertCentral to issue GeoTrust and RapidSSL DV certificates from new intermediate CA certificates

On May 24, 2022, between 9:00 am and 11:00 am MDT (3:00 pm and 5:00 pm UTC), DigiCert will replace the GeoTrust and RapidSSL intermediate CA (ICA) certificates listed below. We can no longer issue maximum validity (397-day) DV certificates from these intermediates.

Old ICA certificates

GeoTrust TLS DV RSA Mixed SHA256 2020 CA-1
GeoTrust TLS DV RSA Mixed SHA256 2021 CA-1
RapidSSL TLS DV RSA Mixed SHA256 2020 CA-1
RapidSSL TLS DV RSA Mixed SHA256 2021 CA-1

New ICA certificates

GeoTrust Global TLS RSA4096 SHA256 2022 CA1
RapidSSL Global TLS RSA4096 SHA256 2022 CA1

See the DigiCert ICA Update KB article.

How does this affect me?

Rolling out new ICA certificates does not affect your existing DV certificates. Active certificates issued from the replaced ICA certificates will remain trusted until they expire.

However, all new certificates, including certificate reissues, will be issued from the new ICA certificates. To ensure ICA certificate replacements go unnoticed, always include the provided ICA certificate with every TLS certificate you install.

No action is required unless you do any of the following:

Pin the old versions of the intermediate CA certificates
Hard code the acceptance of the old versions of the intermediate CA certificates
Operate a trust store that includes the old versions of the intermediate CA certificates

Action required

If you practice pinning, hard code acceptance, or operate a trust store, update your environment as soon as possible. You should stop pinning and hard coding ICA certificates or make the necessary changes to ensure your GeoTrust DV and RapidSSL DV certificates issued from the new ICA certificates are trusted. In other words, make sure they can chain up to their new ICA certificate and trusted root.

See the DigiCert Trusted Root Authority Certificates page to download copies of the new Intermediate CA certificates.

What if I need more time?

If you need more time to update your environment, you can continue to use the old 2020 ICA certificates until they expire. Contact DigiCert Support, and they can set that up for your account. However, after May 31, 2022, RapidSSL DV and GeoTrust DV certificates issued from the 2020 ICA certificates will be truncated to less than one year.

11月 16, 2021

File api OV SSL certificates DCV CertCentral domain validation DV SSL certificates http token HTTP Practical Demonstration EV SSL certificates tls certificates FileAuth Services API SSL certificates domain control validation wildcard domains http auth SC45 domain prevalidation file-based DCV

Industry changes to file-based DCV (HTTP Practical Demonstration, file auth, file, HTTP token, and HTTP auth)

To comply with new industry standards for the file-based domain control validation (DCV) method, you can only use the file-based DCV to demonstrate control over fully qualified domain names (FQDNs), exactly as named.

To learn more about the industry change, see Domain validation policy changes in 2021.

How does this affect me?

As of November 16, 2021, you must use one of the other supported DCV methods, such as Email, DNS TXT, and CNAME, to:

Validate wildcard domains (*.example.com)
To include subdomains in the domain validation when validating the higher-level domain. For example, if you want to cover www.example.com, when you validate the higher-level domain, example.com.
Prevalidate entire domains and subdomains.

To learn more about the supported DCV method for DV, OV, and EV certificate requests:

CertCentral: Pending certificate requests and domain prevalidation using file-based DCV

Pending certificate request

If you have a pending certificate request with incomplete file-based DCV checks, you may need to switch DCV methods* or use the file-based DCV method to demonstrate control over every fully qualified domain name, exactly as named, on the request.

*Note: For certificate requests with incomplete file-based DCV checks for wildcard domains, you must use a different DCV method.

To learn more about the supported DCV methods for DV, OV, and EV certificate requests:

Domain prevalidation

If you plan to use the file-based DCV method to prevalidate an entire domain or entire subdomain, you must use a different DCV method.

To learn more about the supported DCV methods for domain prevalidation, see Supported domain control validation (DCV) methods for domain prevalidation.

CertCentral Services API

If you use the CertCentral Services API to order certificates or submit domains for prevalidation using file-based DCV (http-token), this change may affect your API integrations. To learn more, visit File-based domain control validation (http-token).

11月 6, 2021

CIS DigiCert One CertCentral PKI Platform 8 Direct Cert Portal TrustLink certificate issuance ACME DV SSL certificates scheduled maintenance SCEP Direct Cert Portal API ACME agent automation Discovery API Services API DV certificate issuance TrustLink ACME agent automation API discovery

Upcoming Schedule Maintenance

DigiCert will perform scheduled maintenance on November 6, 2021, between 22:00 – 24:00 MDT (November 7, 2021, between 04:00 – 06:00 UTC).

CertCentral infrastructure-related maintenance downtime

We will start this infrastructure-related maintenance between 22:00 and 22:10 MDT (04:00 and 04:10 UTC). Then, for approximately 30 minutes, the following services will be down:

DV certificate issuance for CertCentral, ACME, and ACME agent automation

DV certificate requests submitted during this time will fail
APIs will return a "cannot connect" error
Failed requests should be resubmitted after services are restored

CIS and SCEP

Certificate Issuing Service (CIS) will be down
Simple Certificate Enrollment Protocol (SCEP) will be down
DigiCert will be unable to issue certificates for CIS and SCEP
APIs will return a "cannot connect" error
Requests that return "cannot connect" errors should be resubmitted after services are restore

QuoVadis TrustLink certificate issuance

TrustLink certificate requests submitted during this time will fail
However, failed requests will be added to a queue for processing later
Queued-up requests will be processed after services are restored, as required

This maintenance only affects DV certificate issuance, CIS, SCEP, and TrustLink certificate issuance. It does not affect any other DigiCert platforms or services .

PKI Platform 8 maintenance

We will start the PKI Platform 8 maintenance at 22:00 MDT (04:00 UTC). Then, for approximately 30 minutes, the PKI Platform 8 will experience service delays and performance degradation that affect:

Signing in and using your PKI Platform 8 to perform in-console certificate lifecycle tasks.
Using any of your PKI Platform 8 corresponding APIs or protocols (for example, SOAP, REST, SCEP, and EST) to perform certificate lifecycle operations.
Performing certificate lifecycle tasks/operations:
- Enrolling certificates: new, renew, or reissues
- Adding domains and organizations
- Submitting validation requests
- Viewing reports, revoking certificates, and creating profiles
- Adding users, viewing certificates, and downloading certificates
Certificate issuance for PKI Platform 8 and its corresponding API.

Additionally:

APIs will return a "cannot connect" error.
Certificate enrollments that receive "cannot connect" errors must be resubmitted after DigiCert restores services.

The PKI Platform 8 maintenance only affects PKI Platform 8. It does not affect any other DigiCert platforms or services.

Plan accordingly:

Schedule high-priority orders, renewals, and reissues before or after the maintenance window.
Expect interruptions if you use the APIs for immediate certificate issuance and automated tasks.
To get live maintenance updates, subscribe to the DigiCert Status page. This subscription includes email alerts for when maintenance begins and when it ends.
For scheduled maintenance dates and times, see DigiCert 2021 scheduled maintenance.

Services will be restored as soon as we complete the maintenance.

3月 12, 2021

reissues flexible certificates new endpoints DV SSL certificates intermediate CA certificates updated endpoints ICA selection New auto-reissue Services API Multi-year plan

CertCentral Services API: Auto-reissue support for Multi-year Plans

We are happy to announce that the CertCentral Services API now supports automatic certificate reissue requests (auto-reissue) for Multi-year Plans. The auto-reissue feature makes it easier to maintain SSL/TLS coverage on your Multi-year Plans.

You can enable auto-reissue for individual orders in your CertCentral account. When auto-reissue is enabled, we automatically create and submit a certificate reissue request 30 days before the most recently issued certificate on the order expires.

Enable auto-reissue for a new order

To give you control over the auto-reissue setting for new Multi-year Plans, we added a new request parameter to the endpoints for ordering DV, OV, and EV TLS/SSL certificates: auto_reissue.

By default, auto-reissue is disabled for all orders. To enable auto-reissue when you request a new Multi-year Plan, set the value of the auto_reissue parameter to 1 in the body of your request.

Example request body:

Example order request body with auto reissue enabled

Note: In new order requests, we ignore the auto_reissue parameter if:

The product does not support Multi-year Plans.
Multi-year Plans are disabled for the account.

Update auto-reissue setting for existing orders

To give you control over the auto-reissue setting for existing Multi-year Plans, we added a new endpoint: Update auto-reissue settings. Use this endpoint to enable or disable the auto-reissue setting for an order.

Get auto-reissue setting for an existing order

To help you track the auto-reissue setting for existing certificate orders, we added a new response parameter to the Order info endpoint: auto_reissue. The auto_reissue parameter returns the current auto-reissue setting for the order.

ICA certificate chain selection for public DV flex certificates

We are happy to announce that select public DV certificates now support Intermediate CA certificate chain selection:

GeoTrust DV SSL
Thawte SSL 123 DV
RapidSSL Standard DV
RapidSSL Wildcard DV
Encryption Everywhere DV

You can add a feature to your CertCentral account that enables you to control which DigiCert ICA certificate chain issues the end-entity certificate when you order these public DV products.

This feature allows you to:

Set the default ICA certificate chain for each supported public DV certificate.
Control which ICA certificate chains certificate requestors can use to issue their DV certificate.

Configure ICA certificate chain selection

To enable ICA selection for your account:

Contact your account manager or our Support team.
Then, in your CertCentral account, in the left main menu, go to Settings > Product Settings.
On the Product Settings page, configure the default and allowed intermediates for each supported and available DV certificate.

For more information and step-by-step instructions, see the Configure the ICA certificate chain feature for your public TLS certificates.

DigiCert Services API: DV certificate support for ICA certificate chain selection

In the DigiCert Services API, we made the following updates to support ICA selection in your DV certificate order requests:

Updated the Product list endpoint
After adding the ICA certificate selection chain feature to your account, the Product list endpoint returns each ICA certificate's name and ID available to issue end-entity certificates for the supported DV products (see allowed_ca_certs).
Updated the Product limits endpoint
After you configure the allowed and default ICA certificates for a DV product, the Product limits endpoint returns the default issuing ICA (default_intermediate) and allowed issuing ICAs (allowed_intermediates) that certificate requestor with a given container and user role assignment can select.
Updated the Product info endpoint
The Product list endpoint now returns the name, ID, and certificate chain information for the issuing ICAs you can select when you request a given product (see allowed_ca_certs).
Added support for ICA chain selection to these DV certificate order requests:

Pass in the issuing ICA certificate's ID as the value for the ca_cert_id parameter in your order request's body.

Example DV certificate request:

For more information about using ICA selection in your API integrations, see DV certificate lifecycle – Optional ICA selection.

1月 25, 2021

OV SSL certificates DV SSL certificates EV SSL certificates New Services API email to dns txt contact prevalidation DCV email method

CertCentral Services API:［ドメインメール］エンドポイントを改善

メールベースのドメインの利用権確認 (DCV) 用にデジサートから認証メールを受け取る DNS TXT メールアドレスを探しやすくするため、［ドメインメール］エンドポイントに新しい応答パラメータを追加しました。dns_txt_emails.

dns_txt_emails パラメータは、そのドメインの DNS TXT レコードで見つかったメールアドレスのリストを返します。これらは、認証中のドメインの _validation-contactemail サブドメインの DNS TXT レコードにあるメールアドレスです。

新しいパラメータがある応答の例

新しいサポート対象の DNS TXT へのメール連絡 DCV 方法についての詳細：

変更ログ – 2021年1月13日

DV 証明書オーダーでのドメインの認証についての詳細:

ドメインの利用権確認 (DCV) 方法

OV/EV 証明書オーダーでのドメイン認証についての詳細：

1月 13, 2021

OV SSL certificates DV SSL certificates EV SSL certificates New email to dns txt contact prevalidation DCV email method

CertCentral:DNS TXT へのメール連絡 DCV 方法

デジサートはメールベースのドメインの利用権確認（DCV）に DNS TXT へのメール連絡をサポートしていますので、お知らせいたします。これは、お使いのドメインについて DNS TXT レコードにメールアドレスを追加できることになります。デジサートは、DNS TXT レコードを自動検索し、DCV メールをそれらのアドレスに送信します。メール受信者は、メールに記載の方法にしたがって、ドメインの利用権を確認する必要があります。

注記:以前は、デジサートは、DCV メールを WHOIS ベースおよび構築メールアドレスのみに送信していました。

業界の変化

連絡先情報は、個人情報保護方針およびその他の制約により、WHOIS レコードではますますアクセスできないようになっています。Ballot SC13 の通過により、認証局/ブラウザ (CA/B) フォーラムは、DNS TXT へのメール連絡をサポート対象の DCV methods.方法のリストに追加しました。

DNS TXT レコードメール連絡先

DNS TXT へのメール連絡 DCV 方法でメールを使用するには、認証が必要なドメインの _validation-contactemail サブドメインに DNS TXT レコードを入れる必要があります。デジサートは、WHOIS と DNS TXT レコードを自動検索し、それらのレコードで見つかったアドレスに DCV メールを送信します。

_validation-contactemail.example.com | Default | validatedomain@digicerttest.com

テキストレコードの RDATA 値は、有効なメールアドレスである必要がります。ベースライン要件の付録にあるセクション「B.2.1 DNS TXT レコードメール連絡」を参照してください。

Ballot SC13 についての詳細は、CA/ブラウザフォーラムおよび DNS TXT へのメール連絡 DCV 方法:

10月 22, 2020

DV SSL certificates AuthKey API documentation

CertCentral Services API:ドキュメント更新

DV 証明書オーダー用の CertCentral Services API ドキュメントに新しい要求パラメータを追加しました。use_auth_key. 既存の AuthKey があるアカウントでは、このパラメータを使用して DV 証明書オーダーを執行するときに AuthKey 要求トークン用の DNS レコードを選択できるかどうかをチェックできます。

デフォルトでは、お使いのアカウントについて AuthKey が存在している場合、DV 証明書をオーダーする前に DNS レコードへの AuthKey 要求トークンを追加する必要があります。AuthKey 要求トークンでは、即時証明書発行が可能なため、証明書の使用期間管理に費やす時間が短縮されます。ただし、メール認証またはデジサート生成トークンを使用したドメインの利用権確認に時間を要する場合があります。これらの場合、use_auth_key パラメータでは、オーダーレベルで AuthKey 要求トークンへのチェックを無効にできるため、別の方法を使用して、ドメインの利用権確認を行うことができます。ドメインの利用権確認 (DCV) についての詳細は、「ドメインの利用権確認 (DCV) 方法」を参照してください。

DV 証明書オーダーの AuthKey 確認方法を無効にするには、use_auth_key パラメータを、その要求の JSON ペイロードに入れます。例えば:

次のエンドポイントは、use_auth_key パラメータをサポートしています。

即時 DV 証明書発行での AuthKey の使用についての詳細は、「DV 証明書時発行」を参照してください。デフォルト:

注記:use_auth_key パラメータは、 Encryption Everywhere DV 証明書の要求では無視されます。Encryption Everywhere DV 証明書のすべての要求には、DCV 用の AuthKey 要求トークンが必要です。また、OV と EV SSL 製品は、use_auth_key 要求パラメータをサポートしていません。

6月 3, 2020

DNS CNAME dcv methods File DNS TXT FileAuth DV SSL certificates public ssl certificates HTTP Practical Demonstration EV SSL certificates DCV polling OV SSL certificaates Automatic checks

CertCentral:自動 DCV チェック – DCV ポーリング

ドメインの利用権確認 (DCV) process and addedプロセスを改善し、DNS TXT、DNS CNAME、および HTTP 実際的実証 (FileAuth) DCV 方法の自動チェックを追加したことをお知らせいたします。

これは、お使いのドメインに fileauth.txt ファイルを入れ、ランダム値を DNS TXT または DNS CNAME レコードに追加したら、チェック実行のために CertCentral に自らサインインする煩わしさはなくなるということです。DCV チェックを自動的に実行します。ただし、必要な場合は、手動チェックをすることもできます。

DCV ポーリングケイデンス

パブリック SSL/TLS 証明書オーダーを提出、事前認証用にドメインを提出、またはドメイン用に DCV 方法を変更した後、DCV ポーリングがすぐに開始され、1週間実行されます。

間隔 1—最初 15 分間は毎分
間隔 2—１時間は5分ごと
間隔 3—4時間は4分ごと
間隔 4—1日は1時間ごと
間隔 5—1週間は４時間ごと*

*間隔 5 以降、チェックは停止します。最初の週の終わりまでに fileauth.txt ファイルをドメインに入れないか、ランダム値を DNS TXT または DNS CNAME レコードに追加しないと、自身でチェックが必要になります。

サポート対象の DCV 方法についての詳細: