September 27, 2018

Updates to the full SHA256 EV hierarchy certificate profile

On September 27, 2018, we removed the Symantec policy OID from EV TLS certificates issued from the full SHA256 EV hierarchy [DigiCert Global G2 Root => DigiCert Global G2 Intermediate => EV TLS/SSL certificate].

Problem: Chrome bug on macOS

July 2018, we discovered a bug in Chrome on macOS where it wasn't showing the EV indicator for EV TLS certificate with more than two policy OIDs – https://bugs.chromium.org/p/chromium/issues/detail?id=867944.

Solution

We removed the Symantec policy OID from the full SHA256 EV hierarchy certificate profile. With this change, Chrome on macOS again showed the EV indicator for the EV TLS certificates issued from the full SHA256 EV hierarchy.

Affected EV TLS certificates

EV TLS certificates (from the full SHA256 EV hierarchy) issued after January 31, 2018 and prior to September 27, 2018 contain these three policy OIDs in the Certificate Extension - Certificate Policies:

  • 2.16.840.1.114412.2.1 (DigiCert OID)
  • 2.16.840.1.113733.1.7.23.6 (Symantec OID)
  • 2.23.140.1.1 (CAB/F OID)

What do I need to do?

Do you have an EV TLS certificate that is not showing the EV indicator in Chrome on macOS?

Please replace (reissue) your EV TLS certificate to show the EV indicator in Chrome on macOS. Full SHA256 EV TLS certificates issued as of September 27, 2018 contain only two policy OIDs in the Certificate Extension - Certificate Policies:

  • 2.16.840.1.114412.2.1 (DigiCert OID)
  • 2.23.140.1.1 (CAB/F OID)

What about other types of certificates?

For all other types of certificates, no action is required.