Symantec new Web PKI hierarchy aims to modernize and streamline our SSL/TLS certificate offerings. Symantec expects to issue all new public SSL/TLS certificates from the existing DigiCert public roots starting 28 November, 2017. For details on these roots and intermediate CA certificates, please see INFO4562.
When you get the new public SSL/TLS certificates from the DigiCert roots, they have the new OCSP and CRL in the certificate profiles.
What this means to you
If your corporate firewall and/or access control devices are configured to allow only a certain set of URLs to be accessed from your network, you'll need to white-list the new entry on your firewall and/or access control devices to ensure seamless access to new OCSP and CRL. A list of new OCSP and CRL is available in the below table.
|Product||Hierarchy||Intermediate CA||Root CA||OCSP||CRL||Test Site|
|OV||Mixed SHA256||DigiCert SHA2 Secure Server CA||DigiCert Global Root CA||http://ocsp.digicert.com||http://crl4.digicert.com/ssca-sha2-g6.crl
|OV/EV||Full SHA256||DigiCert Global CA G2||DigiCert Global Root CA G2||http://ocsp.digicert.com||http://crl3.digicert.com/DigiCertGlobalCAG2.crl
|EV||Mixed SHA256||DigiCert SHA2 Extended Validation Server CA||
DigiCert High Assurance EV Root CA
|EV||Full ECC||DigiCert Extended Validation CA G3||DigiCert Global Root G3||http://ocsp.digicert.com||http://crl3.digicert.com/evca-g3-group1.crl
If your corporate firewall and/or access control devices are configured to allow only a certain set of IP addresses to be accessed from your network, you'll need to include the following IP addresses.