Ask a Question

Advanced Search

Alert ID : AL060720205025

Last Modified : 07/11/2020

DigiCert ICA Replacement

URGENT

Description

DigiCert has identified an issue where some of our intermediate CAs (ICAs) were not listed as part of our most recent WebTrust EV audit.

 

We are revoking all of the EV end-entity certificates issued from the impacted issuing CAs that were not specified on an EV WebTrust audit report; we are not revoking the ICAs. We stopped issuing EV certificates from the impacted ICAs as of July 6, 2020 and notified all impacted parties.

 

OV and DV certificates are unaffected by these changes.

 

Solution

The EV certificates being revoked chain to one of the following affected ICAs:

We are retiring these ICAs for EV issuance:

  • DigiCert Global CA G2  
  • GeoTrust TLS RSA CA G1  
  • Thawte TLS RSA CA G1  
  • Secure Site CA  
  • NCC Group Secure Server CA G2  
  • TERENA SSL High Assurance CA 3

 

We have new ICAs in place, to which free reissues for customers of the impacted end-entity certificates will properly chain.

Our retired ICAs will be replaced with new ICAs:

 

Who does this affect?

 

This change affects customers who have issued EV certificates using these chains from:

  • CertCentral
  • Symantec
  • Thawte
  • GeoTrust

 

This also affects customers with EV certificates utilizing:

  • CA over-rides
  • ICA pinning that has been identified for EV retirement

 

Please Note: Although there is no security threat, we are required by the EV Guidelines to revoke your EV certificates by July 11, 2020.

 

What Action is Required?

  1. Sign in to your account and locate if your certificate(s) are affected.
  2. Reissue ("Replace" if you are still managing certificates on the MSSL/CWS portals) and re-install affected certificates before July 11.

 

If you require any additional assistance, please contat support.