Your account manager can add the ICA selection option to your account. They can also add needed OV and EV flex certificates to your account. Then, you can configure the ICA certificate chains that should issue your public OV and EV flex certificates.
OV and EV flex certificates are the only public TLS certificate that support the option to select an ICA certificate chain. To learn more about DigiCert flex certificates and to see which public OV and EV TLS certificates have flex capabilities, see our Flex certificates page.
Public DV flex certificates and non-flex TLS certificates don't support the ICA certificate chain option.
When configuring the ICA certificate chains for your public OV and EV TLS flex certificates, you can:
Enabling the ICA certificate chain option does not change the default intermediate chain for any of the flex products. By default, DigiCert issues the all OV and EV certificates from mixed SHA-256 certificate chains: SHA-1 root certificate and SHA-256 ICA certificate.
Changing the default ICA certificate chain for a flex certificate does not change the ICA certificate chain for previously issued certificates or pending certificate requests.
These settings also determine the ICA certificate chains that users can select to issue their flex certificate when ordering these product using the Services API.
In your CertCentral account, in the left main menu, go to Settings > Product Settings.
Configure the ICA certificate chain settings for your account or a division in your account.
If you have divisions in your account, you can configure product settings at the division level. Use the division (For) dropdown to select the division you want to configure the ICA certificate chain options for.
Configure ICA certificate for a role in your account or in a division
In the Product column, select the public OV or EV flex certificate you want to configure the ICA certificate chain option for.
Configure the default ICA certificate chain for the flex certificate
In the Product Settings column, in the Default intermediate chain dropdown, select the default certificate chain to issue the flex certificate.
Configure the ICA certificate chains available on the flex certificate order form
In the Product Settings column, in the Allowed intermediate chains [Intermediate CA] > [Root CA] dropdown, select the intermediate chains the certificate requestor can use to issue the public TLS flex certificate.
Note: On the TLS certificate order form, the "default" chain is selected automatically. To use a different intermediate chain, the requestor must expand the Additional certificate options section and manually select a different intermediate certificate chain.
To remove the requestors ability to select the ICA certificate chain, only add the default ICA certificate chain. On the order form, they will see this ICA certificate chain in the menu, but they won't be able change it.
Scroll to the bottom of the page and click Save Settings.
The next time someone orders the public OV or EV flex certificate, it will be issued from the intermediate chain you set as the default issuing certificate chain.
If you enabled multiple ICA certificate chains for a flex product, the next time someone orders that certificate, they can use the Intermediate chains [Intermediate CA] > [Root CA] dropdown to select the chain that should issue the certificate.
On the certificate request form: