URGENT
DigiCert replaced multiple intermediate CA certificates (ICAs).
We replaced ICAs to:
Certificate Authorities (CAs) use intermediate CA (ICA) certificates to issue certificates such as your SSL/TLS certificates. The ICA certificate links your certificate to the trusted root certificate enabling browsers and other applications to trust it.
No action is required, unless you do any of the following:
If you do any of the above, we recommend updating your environment as soon as possible. Stop pinning and hard coding ICA certificate acceptance or make the necessary changes to ensure certificates issued from the new ICA certificates are trusted (in other words, can chain up to their ICA and trusted root certificates).
Rolling out new ICA certificates does not affect existing certificates. We don't remove an old ICA from certificate stores until all the certificates issued from it have expired. This means active certificates issued from a replaced ICA certificate continue to be trusted.
However, it does affect those certificates if you reissue them, as the reissued certificate is issued from the new ICA certificate. This means you will need to include the provided ICA certificate when you install the reissued certificate.
We recommend that you always include the provided ICA with every certificate you install. This has always been the recommended best practice to ensure ICA certificate replacements go unnoticed and to make sure certificates are trusted.
To download copies of intermediate CA and root certificates, see the DigiCert Trusted Root Authority Certificates page. This is an active page that we update as roots and intermediate CA certificates become publicly available.
Old ICA certificate | New ICA certificate | Issuing root certificate | OCSP | CRL |
|
GeoTrust Global TLS RSA4096 SHA256 2022 CA1 | DigiCert Global Root CA | http://ocsp.digicert.com | http://crl3.digicert.com |
|
RapidSSL Global TLS RSA4096 SHA256 2022 CA1 | DigiCert Global Root CA | http://ocsp.digicert.com | http://crl3.digicert.com |
DigiCert replaced the ICAs listed below on December 7, 2021. This change was made to remain compliant with industry standards for client certificates.
We encourage you to update key stores, code bases, and certificate pinnings that may be in use.
Old ICA and root certificates |
New ICA and root certificates |
New ICA certificate serial number |
|
|
0F:FA:E1:F3:1A:2B:43:3C:3D:9A:E1:6D:64:3B:58:8B |
New ICA | New Serial |
DigiCert TLS RSA SHA256 2020 CA1 | 06d8d904d5584346f68a2fa754227ec4 |
DigiCert Global G3 TLS ECC SHA384 2020 CA1 | 0c2254181d6dfdfa66e264e3c17a48bc |
DigiCert TLS Hybrid ECC SHA384 2020 CA1 | 07f2f35c87a877af7aefe947993525bd |
DigiCert G5 TLS ECC SHA384 2021 CA1 | 041c5d282eb3710e6b72c2dabd26716f |
DigiCert G5 TLS RSA4096 SHA384 2021 CA1 | 0e6458e754ec9cc7bac83231d5f94d58 |
DigiCert G5 RSA4096 SHA384 2021 CA1 | 0e8d2840ae4825905618b3a8a9e17a47 |
DigiCert G5 ECC SHA384 2021 CA1 | 060e453e9bf768c659336a5b02b47113 |
Old ICA certificate |
New ICA certificate |
Issuing root certificate |
OCSP | CRL |
DigiCert SHA2 Secure Server CA |
DigiCert TLS RSA SHA256 2020 CA1 Note: This will be the new default issuing ICA certificate. |
DigiCert Global Root CA |
http://ocsp.digicert.com |
http://crl3.digicert.com |
DigiCert SHA2 Secure Server CA |
DigiCert SHA2 Secure Server CA |
DigiCert Global Root CA |
http://ocsp.digicert.com |
http://crl3.digicert.com |
DigiCert Baltimore CA-2 G2 |
DigiCert Baltimore TLS RSA SHA256 2020 CA1 |
Baltimore CyberTrust Root |
http://ocsp.digicert.com |
http://crl3.digicert.com |
DigiCert Global CA G2 |
DigiCert Global G2 TLS RSA SHA256 2020 CA1 |
DigiCert Global Root G2 |
http://ocsp.digicert.com |
http://crl3.digicert.com |
DigiCert ECC Secure Server CA |
DigiCert TLS Hybrid ECC SHA384 2020 CA1 |
DigiCert Global Root CA |
http://ocsp.digicert.com |
http://crl3.digicert.com |
DigiCert Baltimore CA-1 G2 |
DigiCert Baltimore SMIME RSA SHA256 2020 CA1 |
Baltimore CyberTrust Root |
http://ocsp.digicert.com |
http://crl3.digicert.com |
DigiCert Global CA G3 |
DigiCert Global G3 TLS ECC SHA384 2020 CA1 |
DigiCert Global Root G3 |
http://ocsp.digicert.com |
http://crl3.digicert.com |
DigiCert Trusted Server CA G4 |
DigiCert Trusted G4 TLS RSA SHA384 2020 CA1 |
DigiCert Trusted Root G4 |
http://ocsp.digicert.com |
http://crl3.digicert.com |
DigiCert ECC Extended Validation Server CA |
DigiCert TLS Hybrid ECC SHA384 2020 CA1 |
DigiCert Global Root CA |
http://ocsp.digicert.com |
http://crl3.digicert.com |
DigiCert Assured ID CA G2 |
DigiCert Global G2 TLS RSA SHA256 2020 CA1 |
DigiCert Global Root G2 |
http://ocsp.digicert.com |
http://crl3.digicert.com |
DigiCert Extended Validation CA G3 |
DigiCert Global G3 TLS ECC SHA384 2020 CA1 |
DigiCert Global Root G3 |
http://ocsp.digicert.com |
http://crl3.digicert.com |
DigiCert High Assurance CA-3 |
DigiCert TLS RSA SHA256 2020 CA1 |
DigiCert Global Root CA |
http://ocsp.digicert.com |
http://crl3.digicert.com |
DigiCert EV Server CA G4 |
DigiCert Trusted G4 TLS RSA SHA384 2020 CA1 |
DigiCert Trusted Root G4 |
http://ocsp.digicert.com |
http://crl3.digicert.com
|