Configure the ICA certificate chain feature for your public TLS certificates

Choose the ICA certificate chains to meet your DV, OV, and EV TLS certificate needs

Prerequisites

  • Public DV, OV, and EV flex certificates in your account.*
  • ICA certificate chain selection feature enabled for your account.

To learn more about DigiCert flex certificates and see which TLS certificates have flex capabilities, see our Flex certificates page.

*RapidSSL Standard DV and RapidSSL Wildcard DV also support the ICA certificate chain selection feature.

To start using the ICA certificate chain selection feature, contact your account manager or our support team. Your account manager can add needed DV, OV, and EV flex certificates to your account.

Before you begin

Use the ICA certificate chain selection feature to:

  • Set the default ICA certificate chain for your DV, OV, and EV flex certificates.
  • Control the ICA certificate chains certificate requestors can use to issue their flex certificate.

The ICA certificate chain feature does not change the default intermediate chain for your certificates.

By default, DigiCert issues all DV, OV, and EV TLS certificates from mixed SHA-256 certificate chains: SHA-1 root certificate and SHA-256 ICA certificate.

Changing the default ICA certificate chain for a certificate does not affect previously issued certificates or pending certificate orders:

  • To change the ICA certificate chain for an issued certificate, reissue the certificate.
  • To change the ICA certificate chain for a pending flex certificate request, cancel the order and submit a new one.

Configure your ICA certificate chain options

These settings apply to the Services API.

Your ICA certificate chain configurations also determine what ICA certificate chains are available when ordering the same type of certificate via the Services API.

  1. In CertCentral, in the left main menu, go to Settings > Product Settings.

  1. Configure the ICA certificate chain settings for your account or a division in your account.

    If you have divisions, use the division (For) dropdown to configure the ICA certificate chain selections for a division.

  1. Configure the ICA certificate chain settings for a role in your account or a division.

    1. To configure role-based ICA certificate chain selections, check Configure products by role.
    2. In the Role column, select a role: Administrator, Limited User, Finance Manager, Manager, or Standard User.
  1. Configure the default ICA certificate chain for the flex certificate.

    1. In the Product column, select a public DV, OV, or EV flex certificate.
    2. In the Product Settings column, in the Default intermediate chain dropdown, select the ICA certificate chain you want to issue the flex certificate by default.
  1. Configure which ICA certificate chains are available on the flex certificate request form.

    In the Product Settings column, in the Allowed intermediate chains [Intermediate CA] > [Root CA] dropdown, select the intermediate certificate chains a requester can use to issue the flex certificate.

    Note: On the flex certificate order form, the "default" chain is preselected. If the requester wants to use a different intermediate chain, they must expand the Additional certificate options section and select a different one.

    To remove the requester's ability to use a different ICA certificate chain, only add the default ICA certificate chain. On the order form, the "default" chain is preselected. However, the requester won't be able to change it.

  1. Go to the bottom of the page and click Save Settings.

What's next

Default ICA certificate chain

The next time you order the public DV, OV, or EV flex certificate, DigiCert will use the ICA certificate chain you set as the default to issue your TLS certificate.

Multiple ICA certificate chains available

The next time you order the public DV, OV, or EV flex certificate, you can select the ICA certificate chain DigiCert should use to issue your TLS certificate.

To select a different ICA certificate chain:

  1. On the certificate request form, expand Additional certificate options.
  2. In the Intermediate chains [Intermediate CA] > [Root CA] dropdown, select an ICA certificate chain to issue the flex certificate.