A TLS certificate chain includes a root certificate, intermediate certificate authority (ICA) certificate, and server certificate. The issuing ICA certificate is the link between the root certificate and your server certificate.
By default, CertCentral issues public TLS certificates from mixed SHA-256 certificate chains: SHA-1 root certificate and SHA-256 ICA certificate. We do this to provide you with the best root ubiquity. Mixed public SHA-256 certificate chains can issue SHA-256 and ECC server certificates.
Mixed public SHA-256 certificate chains are secure and industry compliant. A mixed certificate chain may include a SHA-1 root certificate, SHA-256 ICA certificate, and SHA-256 server certificates. It may also have a SHA-1 root certificate, SHA-256 ICA certificate, and ECC 384 EDCSA server certificate.
All browsers support mixed public TLS certificate chains. However, some non-browser applications don't support SHA-1 root certificates. Additionally, some organization policies require full SHA-256 and ECC 256/384 EDCSA chains for their public TLS certificates.
You can add a feature to your CertCentral account that enables you to control which DigiCert ICA certificate chain issues your public DV, OV, and EV TLS certificates.
This option allows you to:
When your account manager enables this feature, DigiCert automatically adds new options or menus to the supported TLS certificate order forms and TLS certificate product settings.
This new menu appears on all supported TLS certificate order forms and allows the certificate requester to see the ICA certificate chain available to issue the flex certificate. By default, it also allows the requester to select the ICA certificate chain that should issue the certificate.
On the order form, this menu is in the Additional certificate options section.
You cannot remove this menu from the order forms. However, you can use the TLS certificate product settings to control which ICA certificate chains appear in the menu.
This new menu appears in the product settings for all supported TLS certificates. It allows you to control how the Intermediate chains [Intermediate CA] > [Root CA] menu works on the flex certificate's order form. You can select which ICA certificate chains the requester can use to issue the certificate.
By default, this setting allows the certificate requester to use any available ICA certificate chains to issue the flex certificate.
Enabling the ICA certificate chain selection feature does not change the default intermediate chain for any supported certificates. You must change the default ICA certificate chain for the TLS certificate.