Ask a Question

Advanced Search

Alert ID : INFO4621

Last Modified : 05/21/2018

SSL/TLS OCSP and CRL in Symantec new Web PKI hierarchy certificates

Description

Symantec new Web PKI hierarchy aims to modernize and streamline our SSL/TLS certificate offerings. Symantec expects to issue all new public SSL/TLS certificates from the existing DigiCert public roots starting 28 November, 2017. For details on these roots and intermediate CA certificates, please see INFO4562.

When you get the new public SSL/TLS certificates from the DigiCert roots, they have the new OCSP and CRL in the certificate profiles.

  • OCSP (Online Certificate Status Protocol) is an Internet protocol used to determine the state of an identified certificate.
  • CRL (Certificate Revocation List) is a list of certificates that have been revoked prior to their expiration date.


What this means to you

If your corporate firewall and/or access control devices are configured to allow only a certain set of URLs to be accessed from your network, you'll need to white-list the new entry on your firewall and/or access control devices to ensure seamless access to new OCSP and CRL. A list of new OCSP and CRL is available in the below table.

Product Hierarchy Intermediate CA Root CA OCSP CRL Test Site
OV Mixed SHA256     DigiCert SHA2 Secure Server CA DigiCert Global Root CA http://ocsp.digicert.com http://crl4.digicert.com/ssca-sha2-g6.crl
                                                                
https://global-root-ca.chain-demos.digicert.com/
                                            
OV/EV Full SHA256 DigiCert Global CA G2 DigiCert Global Root CA G2 http://ocsp.digicert.com http://crl3.digicert.com/DigiCertGlobalCAG2.crl
http://crl4.digicert.com/DigiCertGlobalCAG2.crl

 
https://global-root-g2.chain-demos.digicert.com/
EV Mixed SHA256 DigiCert SHA2 Extended Validation Server CA
DigiCert High Assurance EV Root CA
http://ocsp.digicert.com http://crl4.digicert.com/sha2-ev-server-g2.crl https://ev-root.chain-demos.digicert.com/
EV Full ECC DigiCert Extended Validation CA G3 DigiCert Global Root G3 http://ocsp.digicert.com http://crl3.digicert.com/evca-g3-group1.crl
http://crl4.digicert.com/evca-g3-group1.crl
https://global-root-g3.chain-demos.digicert.com

 

If your corporate firewall and/or access control devices are configured to allow only a certain set of IP addresses to be accessed from your network, you'll need to include the following IP addresses.

  • 192.16.58.8
  • 117.18.237.29
  • 93.184.220.29
  • 72.21.91.29
  • 66.225.197.197