CertCentral to issue GeoTrust and RapidSSL DV certificates from new intermediate CA certificates
On May 24, 2022, between 9:00 am and 11:00 am MDT (3:00 pm and 5:00 pm UTC), DigiCert will replace the GeoTrust and RapidSSL intermediate CA (ICA) certificates listed below. We can no longer issue maximum validity (397-day) DV certificates from these intermediates.
Old ICA certificates
New ICA certificates
See the DigiCert ICA Update KB article.
How does this affect me?
Rolling out new ICA certificates does not affect your existing DV certificates. Active certificates issued from the replaced ICA certificates will remain trusted until they expire.
However, all new certificates, including certificate reissues, will be issued from the new ICA certificates. To ensure ICA certificate replacements go unnoticed, always include the provided ICA certificate with every TLS certificate you install.
No action is required unless you do any of the following:
Action required
If you practice pinning, hard code acceptance, or operate a trust store, update your environment as soon as possible. You should stop pinning and hard coding ICA certificates or make the necessary changes to ensure your GeoTrust DV and RapidSSL DV certificates issued from the new ICA certificates are trusted. In other words, make sure they can chain up to their new ICA certificate and trusted root.
See the DigiCert Trusted Root Authority Certificates page to download copies of the new Intermediate CA certificates.
What if I need more time?
If you need more time to update your environment, you can continue to use the old 2020 ICA certificates until they expire. Contact DigiCert Support, and they can set that up for your account. However, after May 31, 2022, RapidSSL DV and GeoTrust DV certificates issued from the 2020 ICA certificates will be truncated to less than one year.
CertCentral Report Library now available
We are happy to announce the CertCentral Report Library is now available for CertCentral Enterprise and CertCentral Partner.* The Report Library is a powerful reporting tool that allows you to download more than 1000 records at a time. Use the Report Library to build, schedule, organize, and export reports to share and reuse.
The Report Library includes six customizable reports: Orders, Organizations, Balance history, Audit log, Domains, and Fully qualified domain names (FQDN). When building reports, you control the details and information that appear in the report, configure the columns and column order, schedule how often you want the report to run (once, weekly, or monthly), and choose the report format (CSV, JSON, or Excel). In addition, you receive notices when the report is ready for download in your account.
To build your first report:
To learn more about building reports:
*Note: Don't see the Report Library in your account? Contact your account manager or our support team for help.
CertCentral Report Library API also available
We're pleased to announce the release of the CertCentral Report Library API! This new API service makes it possible to leverage key features of the Report Library in your CertCentral API integrations, including building reports and downloading report results*.
See our Report Library API documentation to learn more about including the Report Library in your API integrations.
*Note: To use the CertCentral Report Library API, Report Library must be enabled for your CertCentral account. For help activating the Report Library, contact your account manager or our support team.
Bugfix: Unique organization name check did not include assumed name
We updated our unique organization name check to include the assumed name (doing business as name) when creating an organization.
Before, in CertCentral and the CertCentral Services API, when you tried to create an organization with the same name as an existing organization, we returned an error and would not let you create the organization, even if the assumed name (DBA) was different.
Now, when you create an organization, we include the assumed name in the unique organization check. Therefore, you can create organizations with the same name, as long as each organization has a unique assumed name.
For example:
Creating organizations
In CertCentral and the CertCentral Services API, you can create an organization to submit for prevalidation or when you order a TLS/SSL certificate. This change applies to both processes.
CertCentral: DigiCert now issues client certificates from the DigiCert Assured ID Client CA G2 intermediate CA certificate
To remain compliant with industry standards, DigiCert had to replace the intermediate CA (ICA) certificate used to issue CertCentral client certificates.
CertCentral client certificate profiles that used the DigiCert SHA2 Assured ID CA intermediate CA certificate now use the DigiCert Assured ID Client CA G2 intermediate CA certificate. This change also changes the root certificate from DigiCert Assured ID Root CA to DigiCert Assured ID Root G2.
Old ICA and root certificates
New ICA and root certificates
For more information, see DigiCert ICA Update. To download a copy of the new intermediate CA certificate, see DigiCert Trusted Root Authority Certificates.
Do you still need your client certificate to chain to the DigiCert Assured ID Root CA certificate? Contact your account representative or DigiCert Support.
Industry moves to 3072-bit key minimum RSA code signing certificates
Starting May 27, 2021, to comply with new industry standards for code signing certificates, DigiCert will make the following changes to our code signing certificate process.
See Appendix A in the Baseline Requirements for the Issuance and Management of Publicly-Trusted Code Signing Certificates to learn more about these industry changes,
How do these changes affect my existing 2048-bit key certificates?
All existing 2048-bit key size code signing certificates issued before May 27, 2021, will remain active. You can continue to use these certificates to sign code until they expire.
What if I need 2048-bit key code signing certificates?
Take these actions, as needed, before May 27, 2021:
How do these changes affect my code signing certificate process starting May 27, 2021?
Reissues for code signing certificate
Starting May 27, 2021, all reissued code signing certificates will be:
New and renewed code signing certificates
Starting May 27, 2021, all new and renewed code signing certificates will be:
CSRs for code signing certificates
Starting May 27, 2021, you must use a 3072-bit RSA key or larger to generate all certificate signing requests (CSR). We will no longer accept 2048-bit key CSRs for code signing certificate requests.
eTokens for EV code signing certificates
Starting May 27, 2021, you must use an eToken that supports 3072-bit keys when you reissue, order, or renew an EV code signing certificate.
HSMs for EV code signing certificates
Starting May 27, 2021, you must use an HSM that supports 3072-bit keys. Contact your HSM vendor for more information.
New ICA and root certificates
Starting May 27, 2021, DigiCert will issue all new code signing certificates from our new RSA and ECC intermediate CA and root certificates (new, renewed, and reissued).
RSA ICA and root certificates:
ECC ICA and root certificates:
No action is required unless you practice certificate pinning, hard code certificate acceptance, or operate a trust store.
If you do any of these things, we recommend updating your environment as soon as possible. Stop pinning and hard coding ICAs or make the necessary changes to ensure certificates issued from the new ICA certificates are trusted (in other words, they can chain up to their issuing ICA and trusted root certificates).
References
If you have questions or concerns, please contact your account manager or our support team.
CertCentral Services API: Auto-reissue support for Multi-year Plans
We are happy to announce that the CertCentral Services API now supports automatic certificate reissue requests (auto-reissue) for Multi-year Plans. The auto-reissue feature makes it easier to maintain SSL/TLS coverage on your Multi-year Plans.
You can enable auto-reissue for individual orders in your CertCentral account. When auto-reissue is enabled, we automatically create and submit a certificate reissue request 30 days before the most recently issued certificate on the order expires.
Enable auto-reissue for a new order
To give you control over the auto-reissue setting for new Multi-year Plans, we added a new request parameter to the endpoints for ordering DV, OV, and EV TLS/SSL certificates: auto_reissue
.
By default, auto-reissue is disabled for all orders. To enable auto-reissue when you request a new Multi-year Plan, set the value of the auto_reissue
parameter to 1
in the body of your request.
Example request body:
Note: In new order requests, we ignore the auto_reissue
parameter if:
Update auto-reissue setting for existing orders
To give you control over the auto-reissue setting for existing Multi-year Plans, we added a new endpoint: Update auto-reissue settings. Use this endpoint to enable or disable the auto-reissue setting for an order.
Get auto-reissue setting for an existing order
To help you track the auto-reissue setting for existing certificate orders, we added a new response parameter to the Order info endpoint: auto_reissue
. The auto_reissue
parameter returns the current auto-reissue setting for the order.
ICA certificate chain selection for public DV flex certificates
We are happy to announce that select public DV certificates now support Intermediate CA certificate chain selection:
You can add a feature to your CertCentral account that enables you to control which DigiCert ICA certificate chain issues the end-entity certificate when you order these public DV products.
This feature allows you to:
Configure ICA certificate chain selection
To enable ICA selection for your account:
For more information and step-by-step instructions, see the Configure the ICA certificate chain feature for your public TLS certificates.
DigiCert Services API: DV certificate support for ICA certificate chain selection
In the DigiCert Services API, we made the following updates to support ICA selection in your DV certificate order requests:
Pass in the issuing ICA certificate's ID as the value for the ca_cert_id parameter in your order request's body.
Example DV certificate request:
For more information about using ICA selection in your API integrations, see DV certificate lifecycle – Optional ICA selection.
DigiCert 停止颁发 SHA-1 代码签名证书
星期二, 2020 年 12 月 1 日 MST,DigiCert 将停止颁发 SHA-1 代码签名证书和 SHA-1 EV 代码签名证书。
注意:所有现有的 SHA-1 代码签名/EV 代码签名证书在到期前将一直有效。
DigiCert 为什么进行这些更改?
为了遵循新的行业标准,证书颁发机构 (CA) 必须在 2021 年 1 月 1 日之前进行以下更改:
请参阅关于颁发和管理公共信任的代码签名证书的基准要求附录 A。
SHA-1 代码签名证书更改对我有什么影响?
如果您依赖于 SHA-1 代码签名证书,请在 2020 年 12 月 1 日之前根据需要执行以下操作:
有关 2020 年 12 月 1 日更改的更多信息,请参阅 我们的知识库文章 DigiCert 停止颁发 SHA-1 代码签名证书。
如果您有其他疑问,请联系客户经理或我们的 支持团队。
DigiCert 更换中间 CA 证书
2020 年 11 月 2 日,DigiCert 将更换另一组中间 CA 证书 (ICA)。关于更换的 ICA 证书列表,请参阅我们的 DigiCert ICA 更新知识库文章。
对我有什么影响?
推出新 ICA 不会影响现有证书。从旧 ICA 颁发的所有证书到期之前,我们不会从证书存储中删除旧 ICA。这意味着从被替换掉的 ICA 颁发的活跃证书将继续受到信任。
但是,它会影响您补发这些现有证书,因为会从新的 ICA 颁发。我们建议您始终将所提供的 ICA 添加到您安装的每个证书中。为了确保无缝地完成 ICA 替换流程,这一直是我们推荐的最佳做法。
无需操作,除非您执行以下任一操作:
如果您执行以上任何一项操作,我们建议您尽快更新您的环境。停止固定 ICA 和对其进行硬编码,或进行必要的更改以确保通过新 ICA 颁发的证书受信任(换句话说,可以链接到其更新的 ICA 和受信任的根)。
中间 CA 证书更换
确保密切关注下列页面。这些是活跃页面,会定期更新 ICA 证书更换信息并提供新的 DigiCert 中间 CA 证书的副本。
DigiCert 为什么要更换中间 CA 证书?
我们更换 ICA 的目的是:
如果您有疑问或顾虑,请联系客户经理或我们的支持团队。
面向公共 OV 和 EV 灵活证书的 ICA 证书链选项
我们很高兴宣布,具有灵活功能的公共 OV 和 EV 证书现在支持中间 CA 证书链选项。
您可以在 CertCentral 帐户中添加一个选项,用于控制哪个 DigiCert ICA 证书链颁发您的公共 OV 和 EV "灵活"证书。
该选项可用于:
配置 ICA 证书链选项
如需对帐户启用 ICA 选项,请联系您的客户经理或我们的支持团队。然后,在您的 CertCentral 帐户中的产品设置页面上(从左侧主菜单转到设置 > 产品设置),为每种类型的 OV 和 EV 灵活证书配置默认和允许的中间证书。
有关更多信息和步骤说明,请参阅公共 OV 和 EV 灵活证书的 ICA 证书链选项。
DigiCert 服务 API 支持 ICA 证书链选项
在 DigiCert 服务 API 中,我们进行了以下更新,以支持在您的 API 集成中进行 ICA 选择:
ca_cert_id
参数值。灵活证书请求示例:
有关在 API 集成中使用 ICA 选项的更多信息,请参阅 OV/EV 证书生命周期 -(可选)ICA 选择。