July 31, 2018

New features and updates in Managed PKI for SSL:

  • Replace distrusted certificates in bulk
  • New organizational unit validation



Replace distrusted certificates in bulk

For accounts that have more than a few certificates at risk of browser distrust, admins can quickly replace multiple certificates in batches. A bulk replacement request:

  • Processes up to 100 certificates per batch.
  • Uses the previous CSR and certificate settings to generate the replacement certificates.
  • Uses the same new challenge phrase for all replacement certificates in a batch.

To replace distrusted certificates in bulk:

  1. In the Managed PKI for SSL Control Center, go to certificate search results. At-risk certificates are highlighted in their statuses.
  2. Click Bulk replacement for distrusted certificates.
  3. Review the distrusted certificates and click Replace distrusted certificates.
  4. Enter a challenge phrase. The challenge phrase is used for all certificates in the batch.
  5. Return to certificate search results to check if there are more distrusted certificates and repeat the process as needed.
Certificate search results
Certificates ready for bulk replace


New organizational unit validation

DigiCert is implementing a new organizational unit (OU) verification process for checking the OU included in your certificate requests. To help ensure the integrity and trust in your website, the new process checks the OU value, similar to how we currently check the organization (O) name in certificate requests.

No action is needed on your part, but you should expect short delays - an hour or less - in issuance for some certificates. When you get your certificate, also check to make sure it has the expected OU.

This change will apply to Public SSL/TLS certificates only. For more info on the validation change and how it affects your requests, visit New organizational unit (OU) validation process.

How does the new OU validation process work?

If the OU value is found in our validation whitelists, we instantly issue the certificate, pending any additional verification delays. Most OUs are approved and certificates are issued without any problems.

If the OU value is not found in our validation whitelists, we proactively review the OU value and issue the certificate, typically within an hour.

  • If the unknown OU is valid per industry standards, the certificate is issued as requested and the OU is added to the whitelist for future requests.
  • If the OU is invalid, the OU is removed and the certificate is issued with a blank OU.