Ask a Question

Advanced Search

Alert ID : AL170720213619

Last Modified : 07/30/2020

DigiCert ICA Update



DigiCert rotates intermediate certificates (ICAs) on a 6-month rolling basis. 


We implemented this new policy to:

  • Promote customer agility with ICA replacement
  • Reduce the likelihood of customers pinning certificates which has made certificate replacement very difficult for customers in the past
  • Reduce the scope of certificate issuance from any given ICA to mitigate the impact of changes in industry and CA/Browser Forum guidelines to intermediate and end-entity certificates

Note: SSL/TLS certificate and ICA installation should go hand in hand. We advise you to always include the provided ICA with every SSL/TLS certificate you install. This has always been the recommended best practice to ensure ICA replacements go unnoticed.


On July 30, 2020, DigiCert started the first of many ICA rotations with replacing two ICAs used to issue GeoTrust and RapidSSL DV certificates mixed SHA-256 chains. 

Make sure to monitor our DigiCert Intermediate CA certificate Replacement schedule for more information about coming changes. This is an active page that we will keep updated with release timelines for all ICA certificate replacements. 


GeoTrust DV / RapidSSL DV Intermediate CA certificate replacements

Current ICAs

New ICAs

GeoTrust RSA CA 2018 (SHA256RSA)

GeoTrust TLS DV RSA Mixed SHA256 2020 CA-1

RapidSSL RSA CA 2018 (SHA256RSA)

RapidSSL TLS DV RSA Mixed SHA256 2020 CA-1


These intermediate CAs chain to the DigiCert Global Root CA certificate.

To download copies of DigiCert Roots and Intermediate CA certificates, see the DigiCert Trusted Root Authority Certificates page.


What are ICAs used for?

Certificate Authorities (CAs) use intermediate CA (ICA) certificates to issue certificates such as your SSL/TLS certificates. The ICA certificate links your certificate to the trusted root certificate enabling browsers and other applications to trust it.

How does this affect me?

The July 30 ICA rollouts affect GeoTrust DV and RapidSSL DV certificates and action is required if you do any of the following:

  • Pin the old versions of the GeoTrust DV and RapidSSL DV intermediate CA certificates
  • Hard code the acceptance of the old versions of the GeoTrust DV and RapidSSL DV intermediate CA certificates
  • Operate a trust store that includes the old versions of the GeoTrust DV and RapidSSL DV intermediate CA certificates

If you do any of the above, we recommend updating your environment as soon as possible to either stop pinning and hard coding ICAs or to make the necessary changes to ensure GeoTrust DV and RapidSSL DV certificates issued from the new ICAs are trusted (in other words, can chain up to their ICA and trusted root). 


Note: Rolling out new ICAs does not affect existing certificates. We don't remove the old ICA until all the certificates issued from it have expired. This means active certificates issued from the replaced ICA will continue to be trusted.