Skip to main content

ICA certificate chain selection feature for public TLS certificates

Get the certificate chain to meet your DV, OV, and EV TLS certificate needs

A TLS certificate chain includes a root certificate, intermediate certificate authority (ICA) certificate, and server certificate. The issuing ICA certificate is the link between the root certificate and your server certificate.

By default, CertCentral issues public TLS certificates from mixed SHA-256 certificate chains: SHA-1 root certificate and SHA-256 ICA certificate. We do this to provide you with the best root ubiquity. Mixed public SHA-256 certificate chains can issue SHA-256 and ECC server certificates.

Notice

Mixed public SHA-256 certificate chains are secure and industry compliant. A mixed certificate chain may include a SHA-1 root certificate, SHA-256 ICA certificate, and SHA-256 server certificate. It may also have a SHA-1 root certificate, SHA-256 ICA certificate, and ECC 384 EDCSA server certificate.

What if I need a full SHA256 or ECC TLS certificate chain?

All browsers support mixed public TLS certificate chains. However, some non-browser applications don't support SHA-1 root certificates. Additionally, some organization policies require full SHA-256 and ECC 256/384 EDCSA chains for their public TLS certificates.

You can add a feature to your CertCentral account that enables you to control which DigiCert ICA certificate chain issues your public DV, OV, and EV TLS certificates.

This option allows you to:

  • Set the default ICA certificate chain for each supported public DV, OV, and EV product.

  • Control which ICA certificate chains certificate requesters can use to issue their TLS certificate.

How does the ICA certificate chain selection feature affect my account?

When your account manager enables this feature, DigiCert automatically adds new options or menus to the supported TLS certificate order forms and TLS certificate product settings.

Order forms – Intermediate chains [Intermediate CA] > [Root CA] menu

This new menu appears on all supported TLS certificate order forms and allows the certificate requester to see the ICA certificate chain available to issue the TLS certificate. By default, it also allows the requester to select the ICA certificate chain that should issue the certificate.

On the order form, this menu is in the Additional certificate options section.

You cannot remove this menu from the order forms. However, you can use the TLS certificate product settings to control which ICA certificate chains appear in the menu.

Product settings – Allowed intermediate chains [Intermediate CA] > [Root CA] menu

This new menu appears in the product settings for all supported TLS certificates. It allows you to control how the Intermediate chains[Intermediate CA] > [Root CA] menu works on the TLS certificate's order form. You can select which ICA certificate chains the requester can use to issue the certificate.

By default, this setting allows the certificate requester to use any available ICA certificate chains to issue the TLS certificate.

Product settings – Default intermediate chain

Enabling the ICA certificate chain selection feature does not change the default intermediate chain for any supported certificates. You must change the default ICA certificate chain for the TLS certificate.