DigiCert ICA Update

Description

DigiCert replaced multiple intermediate CA certificates (ICAs).

We replaced ICAs to:

Promote agility with ICA replacement.
Reduce the likelihood of pinning ICA certificates or hard coding ICA certificate trust, which makes replacing these certificates difficult.
Reduce the scope of certificate issuance from any given ICA to mitigate the impact of changes in industry and CA/Browser Forum guidelines for intermediate and end-entity certificates.

What are ICA certificates used for?

Certificate Authorities (CAs) use intermediate CA (ICA) certificates to issue certificates such as your SSL/TLS certificates. The ICA certificate links your certificate to the trusted root certificate enabling browsers and other applications to trust it.

How do new ICA certificates affect me?

No action is required, unless you do any of the following:

Pin the old versions of replaced intermediate CA certificates
Hard code the acceptance of the old versions of replaced intermediate CA certificates
Operate a trust store that includes the old versions of replaced intermediate CA certificates

If you do any of the above, we recommend updating your environment as soon as possible. Stop pinning and hard coding ICA certificate acceptance or make the necessary changes to ensure certificates issued from the new ICA certificates are trusted (in other words, can chain up to their ICA and trusted root certificates).

How does ICA replacement affect existing certificates?

Rolling out new ICA certificates does not affect existing certificates. We don't remove an old ICA from certificate stores until all the certificates issued from it have expired. This means active certificates issued from a replaced ICA certificate continue to be trusted.

However, it does affect those certificates if you reissue them, as the reissued certificate is issued from the new ICA certificate. This means you will need to include the provided ICA certificate when you install the reissued certificate.

Best practice

We recommend that you always include the provided ICA with every certificate you install. This has always been the recommended best practice to ensure ICA certificate replacements go unnoticed and to make sure certificates are trusted.

Intermediate CA certificate replacements

To download copies of intermediate CA and root certificates, see the DigiCert Trusted Root Authority Certificates page. This is an active page that we update as roots and intermediate CA certificates become publicly available.

May 2022 DV ICA Replacements

DigiCert will replace the ICAs listed below on May 24, 2022. We encourage you to update key stores, code bases, and certificate pinnings that may be in use.

Old ICA certificate	New ICA certificate	Issuing root certificate	OCSP	CRL
GeoTrust TLS DV RSA Mixed SHA256 2020 CA-1 GeoTrust TLS DV RSA Mixed SHA256 2021 CA-1	GeoTrust Global TLS RSA4096 SHA256 2022 CA1	DigiCert Global Root CA	http://ocsp.digicert.com	http://crl3.digicert.com
RapidSSL TLS DV RSA Mixed SHA256 2020 CA-1 RapidSSL TLS DV RSA Mixed SHA256 2021 CA-1	RapidSSL Global TLS RSA4096 SHA256 2022 CA1	DigiCert Global Root CA	http://ocsp.digicert.com	http://crl3.digicert.com

December 2021 client certificate ICA replacements

DigiCert replaced the ICAs listed below on December 7, 2021. This change was made to remain compliant with industry standards for client certificates.

We encourage you to update key stores, code bases, and certificate pinnings that may be in use.

Old ICA and root certificates	New ICA and root certificates	New ICA certificate serial number
(ICA) DigiCert SHA2 Assured ID CA (Root) DigiCert Assured ID Root CA	(ICA) DigiCert Assured ID Client CA G2 (Root) DigiCert Assured ID Root G2	0F:FA:E1:F3:1A:2B:43:3C:3D:9A:E1:6D:64:3B:58:8B

June 2021 EV and OV ICA Replacements

DigiCert replaced the ICAs listed below on June 9, 2021.

We encourage you to update key stores, code bases, and certificate pinnings that may be in use. Customers impacted by these ICA changes, such as those utilizing ca_cert_id parameter, should contact their account manager or our support teams to explore options.

This change was made to restore compatibility with Google Chrome’s EV indicators.

The new ICAs have the same Subject Name and key pair. Customers pinning to either of these values do not need to make any changes. Customers pinning to any other field, such as certificate serial number must update their pinning configuration immediately. Note that DigiCert does not recommend pinning because of operational risks.

New ICA	New Serial
DigiCert TLS RSA SHA256 2020 CA1	06d8d904d5584346f68a2fa754227ec4
DigiCert Global G3 TLS ECC SHA384 2020 CA1	0c2254181d6dfdfa66e264e3c17a48bc
DigiCert TLS Hybrid ECC SHA384 2020 CA1	07f2f35c87a877af7aefe947993525bd
DigiCert G5 TLS ECC SHA384 2021 CA1	041c5d282eb3710e6b72c2dabd26716f
DigiCert G5 TLS RSA4096 SHA384 2021 CA1	0e6458e754ec9cc7bac83231d5f94d58
DigiCert G5 RSA4096 SHA384 2021 CA1	0e8d2840ae4825905618b3a8a9e17a47
DigiCert G5 ECC SHA384 2021 CA1	060e453e9bf768c659336a5b02b47113

November 2020 ICA Replacements

DigiCert replaced the ICAs listed below on November 2, 2020.
We encourage you to update key stores, needed code, and certificate pinnings that may be in use.

Old ICA certificate	New ICA certificate	Issuing root certificate	OCSP	CRL
DigiCert SHA2 Secure Server CA	DigiCert TLS RSA SHA256 2020 CA1 Note: This will be the new default issuing ICA certificate.	DigiCert Global Root CA	http://ocsp.digicert.com	http://crl3.digicert.com http://crl4.digicert.com
DigiCert SHA2 Secure Server CA	DigiCert SHA2 Secure Server CA	DigiCert Global Root CA	http://ocsp.digicert.com	http://crl3.digicert.com http://crl4.digicert.com
DigiCert Baltimore CA-2 G2	DigiCert Baltimore TLS RSA SHA256 2020 CA1	Baltimore CyberTrust Root	http://ocsp.digicert.com	http://crl3.digicert.com http://crl4.digicert.com
DigiCert Global CA G2	DigiCert Global G2 TLS RSA SHA256 2020 CA1	DigiCert Global Root G2	http://ocsp.digicert.com	http://crl3.digicert.com http://crl4.digicert.com
DigiCert ECC Secure Server CA	DigiCert TLS Hybrid ECC SHA384 2020 CA1	DigiCert Global Root CA	http://ocsp.digicert.com	http://crl3.digicert.com http://crl4.digicert.com
DigiCert Baltimore CA-1 G2	DigiCert Baltimore SMIME RSA SHA256 2020 CA1	Baltimore CyberTrust Root	http://ocsp.digicert.com	http://crl3.digicert.com http://crl4.digicert.com
DigiCert Global CA G3	DigiCert Global G3 TLS ECC SHA384 2020 CA1	DigiCert Global Root G3	http://ocsp.digicert.com	http://crl3.digicert.com http://crl4.digicert.com
DigiCert Trusted Server CA G4	DigiCert Trusted G4 TLS RSA SHA384 2020 CA1	DigiCert Trusted Root G4	http://ocsp.digicert.com	http://crl3.digicert.com http://crl4.digicert.com
DigiCert ECC Extended Validation Server CA	DigiCert TLS Hybrid ECC SHA384 2020 CA1	DigiCert Global Root CA	http://ocsp.digicert.com	http://crl3.digicert.com http://crl4.digicert.com
DigiCert Assured ID CA G2	DigiCert Global G2 TLS RSA SHA256 2020 CA1	DigiCert Global Root G2	http://ocsp.digicert.com	http://crl3.digicert.com http://crl4.digicert.com
DigiCert Extended Validation CA G3	DigiCert Global G3 TLS ECC SHA384 2020 CA1	DigiCert Global Root G3	http://ocsp.digicert.com	http://crl3.digicert.com http://crl4.digicert.com
DigiCert High Assurance CA-3	DigiCert TLS RSA SHA256 2020 CA1	DigiCert Global Root CA	http://ocsp.digicert.com	http://crl3.digicert.com http://crl4.digicert.com
DigiCert EV Server CA G4	DigiCert Trusted G4 TLS RSA SHA384 2020 CA1	DigiCert Trusted Root G4	http://ocsp.digicert.com	http://crl3.digicert.com http://crl4.digicert.com

Contact Support

Chat

Email

Select a Language

Chat

Email

Ask a Question