Configure ICA certificate chain options for your public OV and EV flex certificates

Prerequisites

  • Public OV and EV TLS flex certificates enabled for your account
  • ICA certificate chain selection added to your account

Your account manager can add the ICA selection option to your account. They can also add needed OV and EV flex certificates to your account. Then, you can configure the ICA certificate chains that should issue your public OV and EV flex certificates.

Before you begin

OV and EV flex certificates are the only public TLS certificate that support the option to select an ICA certificate chain. To learn more about DigiCert flex certificates and to see which public OV and EV TLS certificates have flex capabilities, see our Flex certificates page.

Public DV flex certificates and non-flex TLS certificates don't support the ICA certificate chain option.

When configuring the ICA certificate chains for your public OV and EV TLS flex certificates, you can:

  • Select the default ICA certificate chain that should issue each type of flex certificate.

Enabling the ICA certificate chain option does not change the default intermediate chain for any of the flex products. By default, DigiCert issues the all OV and EV certificates from mixed SHA-256 certificate chains: SHA-1 root certificate and SHA-256 ICA certificate.

Changing the default ICA certificate chain for a flex certificate does not change the ICA certificate chain for previously issued certificates or pending certificate requests.

  • To change the intermediate certificate chain for previously issued certificate, reissue the certificate.
  • To change the intermediate certificate chain for a pending certificate request, cancel the order and submit a new request for the flex certificate.
  • Configure the ICA certificate chains the certificate requestors can choose from in the Allowed intermediate chains [Intermediate CA] > [Root CA] menu on the flex certificate order forms.

Configure the ICA certificate chain option

These settings also determine the ICA certificate chains that users can select to issue their flex certificate when ordering these product using the Services API.

  1. In your CertCentral account, in the left main menu, go to Settings > Product Settings.

  2. Configure the ICA certificate chain settings for your account or a division in your account.

    If you have divisions in your account, you can configure product settings at the division level. Use the division (For) dropdown to select the division you want to configure the ICA certificate chain options for.

  3. Configure ICA certificate for a role in your account or in a division

    1. To configure role-based ICA certificate chain options, check Configure products by role.
    2. In the Role column select the role you want to configure the ICA certificate chain options for: Administrator, Limited User, Finance Manager, Manager, or Standard User.
  4. In the Product column, select the public OV or EV flex certificate you want to configure the ICA certificate chain option for.

  5. Configure the default ICA certificate chain for the flex certificate

    In the Product Settings column, in the Default intermediate chain dropdown, select the default certificate chain to issue the flex certificate.

  6. Configure the ICA certificate chains available on the flex certificate order form

    In the Product Settings column, in the Allowed intermediate chains [Intermediate CA] > [Root CA] dropdown, select the intermediate chains the certificate requestor can use to issue the public TLS flex certificate.

    Note: On the TLS certificate order form, the "default" chain is selected automatically. To use a different intermediate chain, the requestor must expand the Additional certificate options section and manually select a different intermediate certificate chain.

    To remove the requestors ability to select the ICA certificate chain, only add the default ICA certificate chain. On the order form, they will see this ICA certificate chain in the menu, but they won't be able change it.

  7. Scroll to the bottom of the page and click Save Settings.

What's next

The next time someone orders the public OV or EV flex certificate, it will be issued from the intermediate chain you set as the default issuing certificate chain.

If you enabled multiple ICA certificate chains for a flex product, the next time someone orders that certificate, they can use the Intermediate chains [Intermediate CA] > [Root CA] dropdown to select the chain that should issue the certificate.

On the certificate request form:

  1. Expand Additional certificate options.
  2. In the Intermediate chains [Intermediate CA] > [Root CA] dropdown, select the ICA certificate chain that should issue the certificate.