Ask a Question

Advanced Search

Alert ID : AL170720213619

Last Modified : 09/24/2020

DigiCert ICA Update

URGENT

Description

DigiCert rotates intermediate CA certificates (ICAs) on a 6-month rolling basis.

 

We implemented this policy to:

  • Promote agility with ICA replacement.
  • Reduce the likelihood of pinning ICA certificates or hard coding ICA certificate trust, which makes replacing these certificates difficult.
  • Reduce the scope of certificate issuance from any given ICA to mitigate the impact of changes in industry and CA/Browser Forum guidelines to intermediate and end-entity certificates.

 

What are ICA certificates used for?

Certificate Authorities (CAs) use intermediate CA (ICA) certificates to issue certificates such as your SSL/TLS certificates. The ICA certificate links your certificate to the trusted root certificate enabling browsers and other applications to trust it.

 

How do new ICA certificates affect me?

No action is required, unless you do any of the following:

  • Pin the old versions of replaced intermediate CA certificates
  • Hard code the acceptance of the old versions of replaced intermediate CA certificates
  • Operate a trust store that includes the old versions of replaced intermediate CA certificates

If you do any of the above, we recommend updating your environment as soon as possible. Stop pinning and hard coding ICA certificate acceptance or make the necessary changes to ensure certificates issued from the new ICA certificates are trusted (in other words, can chain up to their ICA and trusted root).

 

How does ICA replacement affect existing certificates?

Rolling out new ICA certificates does not affect existing certificates. We don't remove an old ICA from certificate stores until all the certificates issued from it have expired. This means active certificates issued from a replaced ICA certificate continue to be trusted.

However, it does affect those certificates if you reissue them, as the reissued certificate is issued from the new ICA certificate. This means you will need to include the provided ICA certificate when you install the reissued certificate.

 

Best practice

We recommend that you always include the provided ICA with every certificate you install. This has always been the recommended best practice to ensure ICA certificate replacements go unnoticed and to make sure certificates are trusted.

 

September 2020: ICA certificate replacements

Starting September 24, 2020, DigiCert plans to replace the ICAs listed below and encourages you to update key stores and any certificate pinning that may be in use.

  • DigiCert SHA2 Secure Server CA
  • DigiCert Baltimore CA-2 G2
  • DigiCert Global CA G2
  • DigiCert ECC Secure Server CA
  • DigiCert Baltimore CA-1 G2
  • DigiCert Secure Auth CA
  • DigiCert ECC Extended Validation Server CA
  • DigiCert Assured ID CA G2
  • DigiCert Global CA G3
  • DigiCert Extended Validation CA G3
  • DigiCert Trusted Server CA G4
  • DigiCert High Assurance CA-3
  • DigiCert SHA-2 RADIUS CA
  • DigiCert EV Server CA G4
  • DigiCert Global Client CA G2
  • DigiCert Assured ID CA G3
  • DigiCert Baltimore EV CA
  • Symantec Class 3 ECC 256 bit SSL CA - G2
  • Symantec Class 3 EV SSL CA - G3
  • Symantec Class 3 Secure Server CA - G4
  • Symantec Class 3 Secure Server SHA256 SSL CA
  • Symantec Class 3 SHA256 Code Signing CA
  • thawte SHA256 Code Signing CA
  • GeoTrust EV SSL CA - G4
  • thawte EV SSL CA - G3
  • thawte SHA256 SSL CA
  • thawte SSL CA - G2

 

Intermediate CA certificate replacements

To download copies intermediate CA and root certificates, see the DigiCert Trusted Root Authority Certificates page. This is an active page that we update as roots and intermediate CA certificates become publicly available.

 

September 2020

Current ICA certificate

New ICA certificate

Issuing root certificate

DigiCert SHA2 Secure Server CA           

DigiCert SHA2 Secure Server CA

DigiCert Global Root CA

DigiCert SHA2 Secure Server CA

DigiCert TLS RSA SHA256 2020 CA1

DigiCert Global Root CA

DigiCert Baltimore CA-2 G2

DigiCert Baltimore TLS RSA SHA256 2020 CA1

Baltimore CyberTrust Root

DigiCert Global CA G2

DigiCert Global G2 TLS RSA SHA256 2020 CA1

DigiCert Global Root G2

DigiCert ECC Secure Server CA

DigiCert TLS Hybrid ECC SHA384 2020 CA1

DigiCert Global Root CA

DigiCert Baltimore CA-1 G2

DigiCert Baltimore SMIME RSA SHA256 2020 CA1

Baltimore CyberTrust Root

DigiCert Secure Auth CA

DigiCert Secure Auth CA2

DigiCert Assured ID Root CA

DigiCert Global CA G3

DigiCert Global G3 TLS ECC SHA384 2020 CA1

DigiCert Global Root G3

DigiCert Trusted Server CA G4

DigiCert Trusted G4 TLS RSA SHA384 2020 CA1

DigiCert Trusted Root G4

DigiCert SHA-2 RADIUS CA

DigiCert RADIUS RSA SHA256 2020 CA1

DigiCert Global Root G2

 

July 2020

Current ICA certificate

New ICA certificate

Issuing root certificate

GeoTrust RSA CA 2018 (SHA256RSA)

GeoTrust TLS DV RSA Mixed SHA256 2020 CA-1

DigiCert Global Root CA

RapidSSL RSA CA 2018 (SHA256RSA)

RapidSSL TLS DV RSA Mixed SHA256 2020 CA-1

DigiCert Global Root CA