Ask a Question

Advanced Search

Alert ID : INFO4622

Last Modified : 05/03/2018

Certificate Profile Changes in Symantec new Web PKI hierarchy certificates


Symantec new Web PKI hierarchy aims to modernize and streamline our SSL/TLS certificate offerings. Symantec expects to issue all new public SSL/TLS certificates from the existing DigiCert Public Root by 28 November, 2017. For details on these roots and intermediate CA certificates, please see INFO4562

When you get the new public SSL/TLS certificates from the new roots, the below changes apply to your certificate profiles.

  • Subject Key Identifier (SKI)
    The Subject Key Identifier extension provides a means of identifying certificates that contain a particular public key. This is a hash value of the SSL certificate. This extension will be included in the public SSL/TLS certificates by default.
  • Certificate Policies
    New certificate policy qualifier URL will be placed in the public SSL/TLS certificates. URL should be updated in this KB later.
  • “For Intranet Use Only” OU value
    The current hierarchy certificates for Standard Intranet and Premium Intranet contain the OU value “For Intranet Use Only”. This value will be removed from the new hierarchy certificates. Note that Intranet certificates are still prohibited to use in external network.
  • Signed Certificate Timestamp (SCT)
    When you select “No logging” option for Certificate Transparency during the enrollment, SCT extension will not be embedded in the public SSL/TLS certificates.