CertCentral to issue GeoTrust and RapidSSL DV certificates from new intermediate CA certificates
On May 24, 2022, between 9:00 am and 11:00 am MDT (3:00 pm and 5:00 pm UTC), DigiCert will replace the GeoTrust and RapidSSL intermediate CA (ICA) certificates listed below. We can no longer issue maximum validity (397-day) DV certificates from these intermediates.
Old ICA certificates
New ICA certificates
See the DigiCert ICA Update KB article.
How does this affect me?
Rolling out new ICA certificates does not affect your existing DV certificates. Active certificates issued from the replaced ICA certificates will remain trusted until they expire.
However, all new certificates, including certificate reissues, will be issued from the new ICA certificates. To ensure ICA certificate replacements go unnoticed, always include the provided ICA certificate with every TLS certificate you install.
No action is required unless you do any of the following:
Action required
If you practice pinning, hard code acceptance, or operate a trust store, update your environment as soon as possible. You should stop pinning and hard coding ICA certificates or make the necessary changes to ensure your GeoTrust DV and RapidSSL DV certificates issued from the new ICA certificates are trusted. In other words, make sure they can chain up to their new ICA certificate and trusted root.
See the DigiCert Trusted Root Authority Certificates page to download copies of the new Intermediate CA certificates.
What if I need more time?
If you need more time to update your environment, you can continue to use the old 2020 ICA certificates until they expire. Contact DigiCert Support, and they can set that up for your account. However, after May 31, 2022, RapidSSL DV and GeoTrust DV certificates issued from the 2020 ICA certificates will be truncated to less than one year.
Industry changes to file-based DCV (HTTP Practical Demonstration, file auth, file, HTTP token, and HTTP auth)
To comply with new industry standards for the file-based domain control validation (DCV) method, you can only use the file-based DCV to demonstrate control over fully qualified domain names (FQDNs), exactly as named.
To learn more about the industry change, see Domain validation policy changes in 2021.
How does this affect me?
As of November 16, 2021, you must use one of the other supported DCV methods, such as Email, DNS TXT, and CNAME, to:
To learn more about the supported DCV method for DV, OV, and EV certificate requests:
CertCentral: Pending certificate requests and domain prevalidation using file-based DCV
Pending certificate request
If you have a pending certificate request with incomplete file-based DCV checks, you may need to switch DCV methods* or use the file-based DCV method to demonstrate control over every fully qualified domain name, exactly as named, on the request.
*Note: For certificate requests with incomplete file-based DCV checks for wildcard domains, you must use a different DCV method.
To learn more about the supported DCV methods for DV, OV, and EV certificate requests:
Domain prevalidation
If you plan to use the file-based DCV method to prevalidate an entire domain or entire subdomain, you must use a different DCV method.
To learn more about the supported DCV methods for domain prevalidation, see Supported domain control validation (DCV) methods for domain prevalidation.
CertCentral Services API
If you use the CertCentral Services API to order certificates or submit domains for prevalidation using file-based DCV (http-token), this change may affect your API integrations. To learn more, visit File-based domain control validation (http-token).
Upcoming Schedule Maintenance
DigiCert will perform scheduled maintenance on November 6, 2021, between 22:00 – 24:00 MDT (November 7, 2021, between 04:00 – 06:00 UTC).
CertCentral infrastructure-related maintenance downtime
We will start this infrastructure-related maintenance between 22:00 and 22:10 MDT (04:00 and 04:10 UTC). Then, for approximately 30 minutes, the following services will be down:
DV certificate issuance for CertCentral, ACME, and ACME agent automation
CIS and SCEP
QuoVadis TrustLink certificate issuance
This maintenance only affects DV certificate issuance, CIS, SCEP, and TrustLink certificate issuance. It does not affect any other DigiCert platforms or services .
PKI Platform 8 maintenance
We will start the PKI Platform 8 maintenance at 22:00 MDT (04:00 UTC). Then, for approximately 30 minutes, the PKI Platform 8 will experience service delays and performance degradation that affect:
Additionally:
The PKI Platform 8 maintenance only affects PKI Platform 8. It does not affect any other DigiCert platforms or services.
Plan accordingly:
Services will be restored as soon as we complete the maintenance.
CertCentral Services API: Auto-reissue support for Multi-year Plans
We are happy to announce that the CertCentral Services API now supports automatic certificate reissue requests (auto-reissue) for Multi-year Plans. The auto-reissue feature makes it easier to maintain SSL/TLS coverage on your Multi-year Plans.
You can enable auto-reissue for individual orders in your CertCentral account. When auto-reissue is enabled, we automatically create and submit a certificate reissue request 30 days before the most recently issued certificate on the order expires.
Enable auto-reissue for a new order
To give you control over the auto-reissue setting for new Multi-year Plans, we added a new request parameter to the endpoints for ordering DV, OV, and EV TLS/SSL certificates: auto_reissue
.
By default, auto-reissue is disabled for all orders. To enable auto-reissue when you request a new Multi-year Plan, set the value of the auto_reissue
parameter to 1
in the body of your request.
Example request body:
Note: In new order requests, we ignore the auto_reissue
parameter if:
Update auto-reissue setting for existing orders
To give you control over the auto-reissue setting for existing Multi-year Plans, we added a new endpoint: Update auto-reissue settings. Use this endpoint to enable or disable the auto-reissue setting for an order.
Get auto-reissue setting for an existing order
To help you track the auto-reissue setting for existing certificate orders, we added a new response parameter to the Order info endpoint: auto_reissue
. The auto_reissue
parameter returns the current auto-reissue setting for the order.
ICA certificate chain selection for public DV flex certificates
We are happy to announce that select public DV certificates now support Intermediate CA certificate chain selection:
You can add a feature to your CertCentral account that enables you to control which DigiCert ICA certificate chain issues the end-entity certificate when you order these public DV products.
This feature allows you to:
Configure ICA certificate chain selection
To enable ICA selection for your account:
For more information and step-by-step instructions, see the Configure the ICA certificate chain feature for your public TLS certificates.
DigiCert Services API: DV certificate support for ICA certificate chain selection
In the DigiCert Services API, we made the following updates to support ICA selection in your DV certificate order requests:
Pass in the issuing ICA certificate's ID as the value for the ca_cert_id parameter in your order request's body.
Example DV certificate request:
For more information about using ICA selection in your API integrations, see DV certificate lifecycle – Optional ICA selection.
CertCentral 服务 API:改进的域电子邮件端点
为了更加方便查找在基于电子邮件的域控制验证 (DCV) 流程中用于接收 DigiCert 验证邮件的 DNS TXT 电子邮件地址,我们对域电子邮件端点新增了一个响应参数:dns_txt_emails
。
dns_txt_emails
参数返回在域的 DNS TXT 记录中找到的电子邮件地址的列表。这是我们在验证的域的_validation-contactemail
子域上的 DNS TXT 记录中找到的电子邮件地址。
具有新参数的响应示例:
关于新支持的“发送电子邮件给 DNS TXT 联系人”DCV 方法的更多信息:
关于验证 DV 证书订单上的域的信息:
关于验证 OV/EV 证书订单上的域的信息:
CertCentral:“发送电子邮件给 DNS TXT 联系人”DCV 方法
我们很高兴宣布,DigiCert 现在支持发送电子邮件给 DNS TXT 联系人进行基于电子邮件的域控制验证 (DCV)。这意味着您可以在域的 DNS TXT 记录中添加电子邮件地址。DigiCert 自动搜索 DNS TXT 记录并发送 DCV 电子邮件到这些地址。收件人需要按照邮件中的说明证明对域的控制权。
注意:以前,DigiCert 仅发送 DCV 电子邮件至基于 WHOIS 的电子邮件地址和构造的电子邮件地址。
行业变化
由于隐私权政策和其他约束,访问 WHOIS 记录中的联系人信息越来越难。通过 SC13 投票表决后,证书颁发机构/浏览器 (CA/B) 论坛在支持的 DCV 方法列表中添加了“发送电子邮件给 DNS TXT 联系人”。
DNS TXT 记录电子邮件联系人
如需使用发送电子邮件给 DNS TXT 联系人 DCV 方法,必须将 DNS TXT 记录放入需要验证的域的 _validation-contactemail 子域上。DigiCert 自动搜索 WHOIS 和 DNS TXT 记录并发送 DCV 电子邮件到在这些记录中找到的地址。
_validation-contactemail.example.com | Default | validatedomain@digicerttest.com
此文本记录的 RDATA 值必须是有效的电子邮件地址。请参阅基准要求附录中的 B.2.1 DNS TXT 记录电子邮件联系人。
有关“投票 SC13”、CA/浏览器论坛和“发送电子邮件给 DNS TXT 联系人”DCV 方法的更多信息:
CertCentral 服务 API:文档更新
我们在 DV 证书订单的 CertCentral 服务 API 文档中新增了一个请求参数:use_auth_key
. 在具有现有 AuthKey 的帐户中,该参数允许您在提交 DV 证书订单时选择是否检查 DNS 记录中的 AuthKey 请求令牌。
默认情况下,如果您的帐户存在 AuthKey,则在订购 DV 证书之前,必须在 DNS 记录中添加 AuthKey 请求令牌。AuthKey 请求令牌可用于颁发中间证书,减少证书生命周期管理所需的时间。但是,您有时可能需要使用电子邮件验证或 DigiCert 生成的令牌确认对域的控制权。在这些情况下,use_auth_key
参数允许您禁止在订单级别检查 AuthKey 请求令牌,因此您可以使用其他方法证明对域的控制权。有关域控制验证 (DCV) 的更多信息,请参阅域控制验证 (DCV) 方法。
如需对 DV 证书订单禁用 AuthKey 验证方法,请在请求的 JSON 有效负载中包括use_auth_key
参数。例如:
以下端点支持use_auth_key
参数:
有关使用 AuthKey 立即颁发 DV 证书的信息,请参阅立即颁发 DV 证书。
注意:对于 Encryption Everywhere DV 证书,在请求中忽略use_auth_key
参数。请求 Encryption Everywhere DV 证书均要求提供 AuthKey 请求令牌进行 DCV 检查。而且,OV 和 EV SSL 产品不支持use_auth_key
请求参数。
CertCentral:自动 DCV 检查 - DCV 轮询
我们很高兴宣布,我们改进了域控制验证 (DCV) 流程,并针对 DNS TXT、DNS CNAME 和 HTTP 实用演示 (FileAuth) DCV 方法新增了自动检查。
这意味着,将 fileauth.txt 文件放置在域上或在 DNS TXT 或 DNS CNAME 记录中添加随机值后,您无需登录 CertCentral 自行进行检查。我们将自动运行 DCV 检查。但是,如有需要,您仍然可以手动进行检查。
DCV 轮询频率
提交公共 SSL/TLS 证书订单、提交域进行预验证或更改域的 DCV 方法后,将立即启动 DCV 轮询并运行一周。
*间隔 5 结束后停止检查。如果在第一周结束后还未将 fileauth.txt 文件放置在域上或在 DNS TXT 或 DNS CNAME 记录中添加随机值,则需要您自行进行检查。
有关支持的 DCV 方法的更多信息: