CertCentral to issue GeoTrust and RapidSSL DV certificates from new intermediate CA certificates
On May 24, 2022, between 9:00 am and 11:00 am MDT (3:00 pm and 5:00 pm UTC), DigiCert will replace the GeoTrust and RapidSSL intermediate CA (ICA) certificates listed below. We can no longer issue maximum validity (397-day) DV certificates from these intermediates.
Old ICA certificates
New ICA certificates
See the DigiCert ICA Update KB article.
How does this affect me?
Rolling out new ICA certificates does not affect your existing DV certificates. Active certificates issued from the replaced ICA certificates will remain trusted until they expire.
However, all new certificates, including certificate reissues, will be issued from the new ICA certificates. To ensure ICA certificate replacements go unnoticed, always include the provided ICA certificate with every TLS certificate you install.
No action is required unless you do any of the following:
Action required
If you practice pinning, hard code acceptance, or operate a trust store, update your environment as soon as possible. You should stop pinning and hard coding ICA certificates or make the necessary changes to ensure your GeoTrust DV and RapidSSL DV certificates issued from the new ICA certificates are trusted. In other words, make sure they can chain up to their new ICA certificate and trusted root.
See the DigiCert Trusted Root Authority Certificates page to download copies of the new Intermediate CA certificates.
What if I need more time?
If you need more time to update your environment, you can continue to use the old 2020 ICA certificates until they expire. Contact DigiCert Support, and they can set that up for your account. However, after May 31, 2022, RapidSSL DV and GeoTrust DV certificates issued from the 2020 ICA certificates will be truncated to less than one year.
DigiCert 更换中间 CA 证书
2020 年 11 月 2 日,DigiCert 将更换另一组中间 CA 证书 (ICA)。关于更换的 ICA 证书列表,请参阅我们的 DigiCert ICA 更新知识库文章。
对我有什么影响?
推出新 ICA 不会影响现有证书。从旧 ICA 颁发的所有证书到期之前,我们不会从证书存储中删除旧 ICA。这意味着从被替换掉的 ICA 颁发的活跃证书将继续受到信任。
但是,它会影响您补发这些现有证书,因为会从新的 ICA 颁发。我们建议您始终将所提供的 ICA 添加到您安装的每个证书中。为了确保无缝地完成 ICA 替换流程,这一直是我们推荐的最佳做法。
无需操作,除非您执行以下任一操作:
如果您执行以上任何一项操作,我们建议您尽快更新您的环境。停止固定 ICA 和对其进行硬编码,或进行必要的更改以确保通过新 ICA 颁发的证书受信任(换句话说,可以链接到其更新的 ICA 和受信任的根)。
中间 CA 证书更换
确保密切关注下列页面。这些是活跃页面,会定期更新 ICA 证书更换信息并提供新的 DigiCert 中间 CA 证书的副本。
DigiCert 为什么要更换中间 CA 证书?
我们更换 ICA 的目的是:
如果您有疑问或顾虑,请联系客户经理或我们的支持团队。
面向公共 OV 和 EV 灵活证书的 ICA 证书链选项
我们很高兴宣布,具有灵活功能的公共 OV 和 EV 证书现在支持中间 CA 证书链选项。
您可以在 CertCentral 帐户中添加一个选项,用于控制哪个 DigiCert ICA 证书链颁发您的公共 OV 和 EV "灵活"证书。
该选项可用于:
配置 ICA 证书链选项
如需对帐户启用 ICA 选项,请联系您的客户经理或我们的支持团队。然后,在您的 CertCentral 帐户中的产品设置页面上(从左侧主菜单转到设置 > 产品设置),为每种类型的 OV 和 EV 灵活证书配置默认和允许的中间证书。
有关更多信息和步骤说明,请参阅公共 OV 和 EV 灵活证书的 ICA 证书链选项。
DigiCert 服务 API 支持 ICA 证书链选项
在 DigiCert 服务 API 中,我们进行了以下更新,以支持在您的 API 集成中进行 ICA 选择:
ca_cert_id
参数值。灵活证书请求示例:
有关在 API 集成中使用 ICA 选项的更多信息,请参阅 OV/EV 证书生命周期 -(可选)ICA 选择。