Configure the ICA certificate chain feature for your public TLS certificates

Choose the ICA certificate chains to meet your DV, OV, and EV TLS certificate needs

Prerequisites

  • Public DV, OV, and EV flex certificates in your account*
  • ICA certificate chain selection feature enabled for your account

To learn more about DigiCert flex certificates and see which TLS certificates have flex capabilities, see our Flex certificates page.

*RapidSSL Standard DV and RapidSSL Wildcard DV also support the ICA certificate chain selection feature.

To start using the ICA certificate chain selection feature, please contact your account manager or our support team. Your account manager can add needed DV, OV, and EV flex certificates to your account.

Before you begin

Use the ICA certificate chain selection feature to:

  • Set the default ICA certificate chain for your DV, OV, and EV flex certificates.
  • Control the ICA certificate chains certificate requestors can use to issue their flex certificate.

The ICA certificate chain feature does not change the default intermediate chain for your certificates.

By default, DigiCert issues all DV, OV, and EV TLS certificates from mixed SHA-256 certificate chains: SHA-1 root certificate and SHA-256 ICA certificate.

Changing the default ICA certificate chain for a certificate does not affect previously issued certificates or pending certificate orders.

  • To change the ICA certificate chain for an issued certificate, reissue the certificate.
  • To change the ICA certificate chain for a pending flex certificate request, cancel the order and submit a new one.

Configure your ICA certificate chain options

These settings apply to the Services API

Your ICA certificate chain configurations also determine what ICA certificate chains are available when ordering the same type of certificate via the Services API.

  1. In CertCentral, in the left main menu, go to Settings > Product Settings.

  1. Configure the ICA certificate chain settings for your account or a division in your account.

    If you have divisions, use the division (For) dropdown to configure the ICA certificate chain selections for a division.

  1. Configure the ICA certificate chain settings for a role in your account or a division.

    1. To configure role-based ICA certificate chain selections, check Configure products by role.
    2. In the Role column, select a role: Administrator, Limited User, Finance Manager, Manager, or Standard User.

  1. Configure the default ICA certificate chain for the flex certificate.

    1. In the Product column, select a public DV, OV, or EV flex certificate.
    2. In the Product Settings column, in the Default intermediate chain dropdown, select the ICA certificate chain you want to issue the flex certificate by default.

  1. Configure which ICA certificate chains are available on the flex certificate request form.

    In the Product Settings column, in the Allowed intermediate chains [Intermediate CA] > [Root CA] dropdown, select the intermediate certificate chains a requestor can use to issue the flex certificate.

    Note: On the flex certificate order form, the "default" chain is preselected. If the requestor wants to use a different intermediate chain, they must expand the Additional certificate options section and select a different one.

    To remove the requestor's ability to use a different ICA certificate chain, only add the default ICA certificate chain. On the order form, the "default" chain is preselected. However, the requestor won't be able to change it.

  1. Go to the bottom of the page and click Save Settings.

What's next

Default ICA certificate chain

The next time you order the public DV, OV, or EV flex certificate, DigiCert will use the ICA certificate chain you set as the default to issue your TLS certificate.

Multiple ICA certificate chains available

The next time you order the public DV, OV, or EV flex certificate, you can select the ICA certificate chain DigiCert should use to issue your TLS certificate.

To select a different ICA certificate chain:

  1. On the certificate request form, expand Additional certificate options.
  2. In the Intermediate chains [Intermediate CA] > [Root CA] dropdown, select an ICA certificate chain to issue the flex certificate.

About

DigiCert is the world's leading provider of scalable TLS/SSL, IoT and PKI solutions for identity and encryption. The most innovative companies, including 89% of the Fortune 500 and 97 of the 100 top global banks, choose DigiCert for its expertise in identity and encryption for web servers and Internet of Things devices. DigiCert supports TLS and other digital certificates for PKI deployments at any scale through its certificate lifecycle management solution, CertCentral®. The company is recognized for its enterprise-grade certificate management platform, fast and knowledgeable customer support, and market-leading security solutions. For the latest DigiCert news and updates, visit digicert.com or follow @digicert.

©2020 DigiCert, Inc. All rights reserved. DigiCert, its logo and CertCentral are registered trademarks of DigiCert, Inc. Norton and the Checkmark Logo are trademarks of NortonLifeLock Inc. used under license. Other names may be trademarks of their respective owners.