CertCentral to issue GeoTrust and RapidSSL DV certificates from new intermediate CA certificates
On May 24, 2022, between 9:00 am and 11:00 am MDT (3:00 pm and 5:00 pm UTC), DigiCert will replace the GeoTrust and RapidSSL intermediate CA (ICA) certificates listed below. We can no longer issue maximum validity (397-day) DV certificates from these intermediates.
Old ICA certificates
New ICA certificates
See the DigiCert ICA Update KB article.
How does this affect me?
Rolling out new ICA certificates does not affect your existing DV certificates. Active certificates issued from the replaced ICA certificates will remain trusted until they expire.
However, all new certificates, including certificate reissues, will be issued from the new ICA certificates. To ensure ICA certificate replacements go unnoticed, always include the provided ICA certificate with every TLS certificate you install.
No action is required unless you do any of the following:
Action required
If you practice pinning, hard code acceptance, or operate a trust store, update your environment as soon as possible. You should stop pinning and hard coding ICA certificates or make the necessary changes to ensure your GeoTrust DV and RapidSSL DV certificates issued from the new ICA certificates are trusted. In other words, make sure they can chain up to their new ICA certificate and trusted root.
See the DigiCert Trusted Root Authority Certificates page to download copies of the new Intermediate CA certificates.
What if I need more time?
If you need more time to update your environment, you can continue to use the old 2020 ICA certificates until they expire. Contact DigiCert Support, and they can set that up for your account. However, after May 31, 2022, RapidSSL DV and GeoTrust DV certificates issued from the 2020 ICA certificates will be truncated to less than one year.
CertCentral Report Library now available
We are happy to announce the CertCentral Report Library is now available for CertCentral Enterprise and CertCentral Partner.* The Report Library is a powerful reporting tool that allows you to download more than 1000 records at a time. Use the Report Library to build, schedule, organize, and export reports to share and reuse.
The Report Library includes six customizable reports: Orders, Organizations, Balance history, Audit log, Domains, and Fully qualified domain names (FQDN). When building reports, you control the details and information that appear in the report, configure the columns and column order, schedule how often you want the report to run (once, weekly, or monthly), and choose the report format (CSV, JSON, or Excel). In addition, you receive notices when the report is ready for download in your account.
To build your first report:
To learn more about building reports:
*Note: Don't see the Report Library in your account? Contact your account manager or our support team for help.
CertCentral Report Library API also available
We're pleased to announce the release of the CertCentral Report Library API! This new API service makes it possible to leverage key features of the Report Library in your CertCentral API integrations, including building reports and downloading report results*.
See our Report Library API documentation to learn more about including the Report Library in your API integrations.
*Note: To use the CertCentral Report Library API, Report Library must be enabled for your CertCentral account. For help activating the Report Library, contact your account manager or our support team.
Bugfix: Unique organization name check did not include assumed name
We updated our unique organization name check to include the assumed name (doing business as name) when creating an organization.
Before, in CertCentral and the CertCentral Services API, when you tried to create an organization with the same name as an existing organization, we returned an error and would not let you create the organization, even if the assumed name (DBA) was different.
Now, when you create an organization, we include the assumed name in the unique organization check. Therefore, you can create organizations with the same name, as long as each organization has a unique assumed name.
For example:
Creating organizations
In CertCentral and the CertCentral Services API, you can create an organization to submit for prevalidation or when you order a TLS/SSL certificate. This change applies to both processes.
CertCentral: DigiCert now issues client certificates from the DigiCert Assured ID Client CA G2 intermediate CA certificate
To remain compliant with industry standards, DigiCert had to replace the intermediate CA (ICA) certificate used to issue CertCentral client certificates.
CertCentral client certificate profiles that used the DigiCert SHA2 Assured ID CA intermediate CA certificate now use the DigiCert Assured ID Client CA G2 intermediate CA certificate. This change also changes the root certificate from DigiCert Assured ID Root CA to DigiCert Assured ID Root G2.
Old ICA and root certificates
New ICA and root certificates
For more information, see DigiCert ICA Update. To download a copy of the new intermediate CA certificate, see DigiCert Trusted Root Authority Certificates.
Do you still need your client certificate to chain to the DigiCert Assured ID Root CA certificate? Contact your account representative or DigiCert Support.
Industry moves to 3072-bit key minimum RSA code signing certificates
Starting May 27, 2021, to comply with new industry standards for code signing certificates, DigiCert will make the following changes to our code signing certificate process.
See Appendix A in the Baseline Requirements for the Issuance and Management of Publicly-Trusted Code Signing Certificates to learn more about these industry changes,
How do these changes affect my existing 2048-bit key certificates?
All existing 2048-bit key size code signing certificates issued before May 27, 2021, will remain active. You can continue to use these certificates to sign code until they expire.
What if I need 2048-bit key code signing certificates?
Take these actions, as needed, before May 27, 2021:
How do these changes affect my code signing certificate process starting May 27, 2021?
Reissues for code signing certificate
Starting May 27, 2021, all reissued code signing certificates will be:
New and renewed code signing certificates
Starting May 27, 2021, all new and renewed code signing certificates will be:
CSRs for code signing certificates
Starting May 27, 2021, you must use a 3072-bit RSA key or larger to generate all certificate signing requests (CSR). We will no longer accept 2048-bit key CSRs for code signing certificate requests.
eTokens for EV code signing certificates
Starting May 27, 2021, you must use an eToken that supports 3072-bit keys when you reissue, order, or renew an EV code signing certificate.
HSMs for EV code signing certificates
Starting May 27, 2021, you must use an HSM that supports 3072-bit keys. Contact your HSM vendor for more information.
New ICA and root certificates
Starting May 27, 2021, DigiCert will issue all new code signing certificates from our new RSA and ECC intermediate CA and root certificates (new, renewed, and reissued).
RSA ICA and root certificates:
ECC ICA and root certificates:
No action is required unless you practice certificate pinning, hard code certificate acceptance, or operate a trust store.
If you do any of these things, we recommend updating your environment as soon as possible. Stop pinning and hard coding ICAs or make the necessary changes to ensure certificates issued from the new ICA certificates are trusted (in other words, they can chain up to their issuing ICA and trusted root certificates).
References
If you have questions or concerns, please contact your account manager or our support team.
CertCentral Services API: Auto-reissue support for Multi-year Plans
We are happy to announce that the CertCentral Services API now supports automatic certificate reissue requests (auto-reissue) for Multi-year Plans. The auto-reissue feature makes it easier to maintain SSL/TLS coverage on your Multi-year Plans.
You can enable auto-reissue for individual orders in your CertCentral account. When auto-reissue is enabled, we automatically create and submit a certificate reissue request 30 days before the most recently issued certificate on the order expires.
Enable auto-reissue for a new order
To give you control over the auto-reissue setting for new Multi-year Plans, we added a new request parameter to the endpoints for ordering DV, OV, and EV TLS/SSL certificates: auto_reissue
.
By default, auto-reissue is disabled for all orders. To enable auto-reissue when you request a new Multi-year Plan, set the value of the auto_reissue
parameter to 1
in the body of your request.
Example request body:
Note: In new order requests, we ignore the auto_reissue
parameter if:
Update auto-reissue setting for existing orders
To give you control over the auto-reissue setting for existing Multi-year Plans, we added a new endpoint: Update auto-reissue settings. Use this endpoint to enable or disable the auto-reissue setting for an order.
Get auto-reissue setting for an existing order
To help you track the auto-reissue setting for existing certificate orders, we added a new response parameter to the Order info endpoint: auto_reissue
. The auto_reissue
parameter returns the current auto-reissue setting for the order.
ICA certificate chain selection for public DV flex certificates
We are happy to announce that select public DV certificates now support Intermediate CA certificate chain selection:
You can add a feature to your CertCentral account that enables you to control which DigiCert ICA certificate chain issues the end-entity certificate when you order these public DV products.
This feature allows you to:
Configure ICA certificate chain selection
To enable ICA selection for your account:
For more information and step-by-step instructions, see the Configure the ICA certificate chain feature for your public TLS certificates.
DigiCert Services API: DV certificate support for ICA certificate chain selection
In the DigiCert Services API, we made the following updates to support ICA selection in your DV certificate order requests:
Pass in the issuing ICA certificate's ID as the value for the ca_cert_id parameter in your order request's body.
Example DV certificate request:
For more information about using ICA selection in your API integrations, see DV certificate lifecycle – Optional ICA selection.
デジサートは SHA-1 コードサイニング証明書の発行を停止
2020年12月1日(火) MST,デジサートは SHA-1 コードサイニングと SHA-1 EV コードサイニング証明書のハック尾を停止予定です。
注記:すべての既存の SHA-1 コードサイニング/EV コードサイニング証明書は、有効期限が切れるまでそのまま有効になります。
デジサートではなぜ、このような変更を行うのですか?
新しい業界基準に準拠するため、認証局 (CA) は、2021年1月1日までに次の変更を実施する必要があります。
パブリックトラストコードサイニング証明書の発行と管理のベースライン要件 の 付録 A を参照してください。
SHA-1 コードサイニング証明書の変更は、私にどのような影響がありますか?
SHA-1 コードサイニング証明書に依拠する場合、2020年12月1日までに必要に応じて、次の対応を行ってください。
2020年12月1日の変更に関する詳細は、 ナレッジベースの記事 「デジサートは SHA-1 コードサイニング証明書の発行を停止する」 を参照してください。
他に質問がある場合は、アカウントマネージャまたは サポートチーム にお問い合わせください。.
デジサートを複数の中間 CA 証明書と入替
11月2日、デジサートは別のセットの中間 CA 証明書 (ICA) を入れ替えます。入れ替える ICA 証明書のリストについては、「DigiCert ICA 更新 KB 記事」 を参照してください。
どのような影響がありますか?
新しい ICA を始動することで、既存の証明書が影響を受けることはありません。すべての発行済証明書の有効期限が切れるまで、証明書ストアから古い ICA を削除することはありません。これは、入れ替えた ICA から発行された有効な証明書が引き続き信頼できることを意味します。
ただし、新しい ICA から発行されているため、それらを再発行すると、既存の証明書に影響を及ぼします。インストールするべての証明書に、所定の ICA を必ず含めることをお勧めします。これは、ICA 入替が通知なしで行われるようにするため、常に推奨するベストプラクティスです。
以下のいずれかを実行しないかぎり、特に操作は必要ありません。
上記のいずれかを実行するばあい、現在の環境をできるかぎり早い段階で更新することをお勧めします。ICA の ピンニングを停止およびハードコーディングを停止するか、ICA から発行されれた証明書が信頼されるように必要な変更を行ってください (すなわち、更新した ICA とトラストルーツまでチェーンできます)。
中間 CA 証明書の入替
下記のページは必ず、モニタリングしてください。これらは有効なページで、ICA 証明書入替情報と新しいデジサートの中間 CA 証明書のコピーとともに、定期的に更新されます。
デジサートはなぜ、中間 CA 証明書を入れ替えるのですか?
次の目的で ICA の入替を行います。
質問や懸念事項がある場合は、マネージャまたは サポートチーム までお問い合わせください。
パブリック OV と EV フレックス証明書用 ICA 証明書チェーンの選択
フレックス証明書付きパブリック OV と EV 証明書は現在、中間 CA 証明書チェーンの選択をサポートしていることをお知らせいたします。
どの DigiCert ICA 証明書チェーンがパブリック OV および EV "フレックス" 証明書を発行するかを管理できるオプションを CertCentral アカウントに追加することができます。
このオプションでは次のことが可能です。
ICA 証明書チェーンの選択を構成する
お使いのアカウントについて ICA 選択を有効にするには、アカウントマネージャまたは サポートチーム にお問い合わせください。次に、製品設定ページの CertCentral アカウント(左メインメニューで [設定] >[製品設定] の順に進む) で OV と EV フレックス証明書の各タイプについて、デフォルトおよび許可された中間証明書を構成します。
詳細およびステップ別の手順は、「パブリック OV と EV フレックス証明書の ICA 証明書チェーンオプション」 を参照してください。
DigiCert Services API は ICA 証明書チェーンの選択をサポート
DigiCert Services API では、お使いの API 統合で ICA 選択をサポートするため、次の更新を行いました。
ca_cert_id
パラメータ用の値にパスします。フレックス証明書要求の例:
API 統合の ICA 選択についての詳細は、「OV/EV 証明書の使用期間 – (オプション) ICA 選択」 を参照してください。