ICA certificate chain option for public OV and EV flex certificates

Get the certificate chain to meet your OV and EV flex certificate needs

A TLS certificate chain includes a root certificate, an intermediate certificate authority (ICA) certificate, and a server certificate. The issuing ICA certificate is the link between the root certificate and your server certificate.

By default, CertCentral issues public TLS certificates from mixed SHA-256 certificate chains: SHA-1 root certificate and SHA-256 ICA certificate. We do this to provide you with the best root ubiquity. Mixed public SHA-256 certificate chains can issue SHA-256 and ECC server certificates.

Mixed public SHA-256 certificate chains are secure and industry compliant. A mixed certificate chain may include a SHA-1 root certificate, a SHA-256 ICA certificate, and SHA-256 server certificates. It may also include a SHA-1 root certificate, a SHA-256 ICA certificate and an ECC 384 EDCSA server certificate.

What if I need full SHA256 or full ECC TLS certificate chains?

All browsers support mixed public TLS certificate chains. However, some non-browser applications don't support SHA-1 root certificates. Additionally, some organization policies require full SHA-256 and ECC 256/384 EDCSA chains for their public TLS certificates.

You can add an option to your CertCentral account that enables you to control which DigiCert ICA certificate chain issues your public OV and EV flex certificates.

This option allows you to:

  • Set the default ICA certificate chain for each public OV and EV flex product.
  • Control which ICA certificate chains certificate requestors can use to issue their flex certificate.

How does adding the ICA certificate chain option affect my account?

Enabling the ICA certificate chain selection option automatically adds new options/menus to your flex certificate order forms and flex certificate product settings.

  1. Order forms – Intermediate chains [Intermediate CA] > [Root CA] menu

    This new menu appears on all flex certificate order forms and allows the certificate requestor to see the ICA certificate chain that will issue the flex certificate. By default, it also allows the requestor to select the ICA certificate chain that should issue the certificate.
    On the order form, this menu is in the Additional certificate options section.

    You cannot remove this menu from the order forms. However, you can use the flex certificate product settings to control which ICA certificate chains appear in the menu.

  2. Product settings – Allowed intermediate chains [Intermediate CA] > [Root CA] menu

    This new menu appears in the product settings for all flex certificate and allows you to control how the Intermediate chains [Intermediate CA] > [Root CA] menu works on the flex certificate's order form. You can select which ICA certificate chains the requestor can use to issue the certificate.

    By default, this setting allows the certificate requestor to use any of the available ICA certificate chains to issue the flex certificate.

  3. Product settings – Default intermediate chain

    This new menu appears in the product settings for all flex certificate and allows you to configure the default ICA certificate chain that should issue the flex certificate.

    Enabling the ICA certificate chain selection option does not change the default intermediate chain for any of the flex products. You must change the default ICA certificate chain for each flex certificate.

Topics