SSL/TLS OCSP and CRL in DigiCert new Web PKI hierarchy certificates

Description

DigiCert new Web PKI hierarchy aims to modernize and streamline our SSL/TLS certificate offerings. DigiCert expects to issue all new public SSL/TLS certificates from the existing DigiCert public roots starting December 1, 2017. For details on these roots and intermediate CA certificates, please see INFO4562.

When you get the new public SSL/TLS certificates from the new roots, they have the new OCSP and CRL in the certificate profiles.

OCSP (Online Certificate Status Protocol) is an Internet protocol used to determine the state of an identified certificate.
CRL (Certificate Revocation List) is a list of certificates that have been revoked prior to their expiration date.

What does this affect me?

If your corporate firewall and/or access control devices are configured to allow only a certain set of URLs to be accessed from your network, you'll need to white-list the new entry on your firewall and/or access control devices to ensure seamless access to new OCSP and CRL. A list of new OCSP and CRL is available in the below table.

Note: The URI for the Certificate Revocation List (CRL) specified in your SSL/TLS certificate’s details may be different from what is listed in the table below. DigiCert serves our CRLs through Issuing Distribution Points (IDPs) to reduce the potential maximum size of our CRL files, which means CRL information location may change. Always look at your certificate to view the authoritative information about it (e.g., specific CRL URI for the certificate).
Additionally, all our OCSP requests originate from http://ocsp.digicert.com

Product Range	Product Type	Hierarchy	Intermediate CA	Root CA	Master Crl	CRL
DigiCert SSL	OV	Mixed RSA	DigiCert TLS RSA SHA256 2020 CA1	DigiCert Global Root CA	http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1.crl	http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crl
		Mixed RSA	DigiCert SHA2 Secure Server CA	DigiCert Global Root G3	http://crl3.digicert.com/DigiCertSHA2SecureServerCA-master.crl"	http://crl3.digicert.com/DigiCertSHA2SecureServerCA-master.crl
		Full RSA	DigiCert Global G2 TLS RSA SHA256 2020 CA1	DigiCert Global Root G2	· http://crl3.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-master.crl	http://crl3.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-master.crl
	EV	Mixed RSA	DigiCert SHA2 Extended Validation Server CA	DigiCert High Assurance EV Root CA	http://crl3.digicert.com/sha2-evsca-master.crl	http://crl3.digicert.com/sha2-ev-server-g3.crl http://crl4.digicert.com/sha2-ev-server-g3.crl
	EV	Full RSA	DigiCert EV RSA CA G2	DigiCert Global Root G2	http://crl3.digicert.com/DigiCertEVRSACAG2-master.crl	http://crl3.digicert.com/DigiCertEVRSACAG2.crl http://crl4.digicert.com/DigiCertEVRSACAG2.crl
	OV/EV	Hybrid ECC	DigiCert TLS Hybrid ECC SHA384 2020 CA1	DigiCert Global Root CA	http://crl3.digicert.com/DigiCertTLSHybridECCSHA3842020CA1-master.crl	http://crl3.digicert.com/DigiCertTLSHybridECCSHA3842020CA1.crl http://crl4.digicert.com/DigiCertTLSHybridECCSHA3842020CA1.crl
	OV/EV	Full ECC	DigiCert Global G3 TLS ECC SHA384 2020 CA1	DigiCert Global Root G3	http://crl3.digicert.com/DigiCertGlobalG3TLSECCSHA3842020CA1-master.crl	http://crl3.digicert.com/DigiCertGlobalG3TLSECCSHA3842020CA1.crl http://crl4.digicert.com/DigiCertGlobalG3TLSECCSHA3842020CA1.crl
GeoTrust SSL	DV	Mixed RSA	GeoTrust TLS DV RSA Mixed SHA256 2020 CA-1	DigiCert Global Root CA	Not available	http://crl3.digicert.com/GeoTrustTLSDVRSAMixedSHA2562020CA-1.crl http://crl4.digicert.com/GeoTrustTLSDVRSAMixedSHA2562020CA-1.crl
	DV	Full RSA	GeoTrust TLS RSA CA G1	DigiCert Global Root G2	Not available	http://cdp.geotrust.com/GeoTrustTLSRSACAG1.crl
	OV	Mixed RSA	GeoTrust RSA CA 2018	DigiCert Global Root CA	Not available	http://cdp.geotrust.com/GeoTrustRSACA2018.crl
	OV	Full RSA	DigiCert Global G2 TLS RSA SHA256 2020 CA1	DigiCert Global Root G2	Not available	http://crl3.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-master.crl
	DV/OV	Hybrid ECC	GeoTrust ECC CA 2018	DigiCert Global Root CA	Not available	http://cdp.geotrust.com/GeoTrustECCCA2018.crl
	DV/OV	Full ECC	GeoTrust TLS ECC CA G1	DigiCert Global Root G3	Not available	http://cdp.geotrust.com/GeoTrustTLSECCCAG1.crl
	EV	Mixed RSA	GeoTrust EV RSA CA 2018	DigiCert High Assurance EV Root CA	Not available	http://cdp.geotrust.com/GeoTrustEVRSACA2018.crl
		Full RSA	GeoTrust EV RSA CA G2	DigiCert Global Root G2	Not available	http://cdp.geotrust.com/GeoTrustEVRSACAG2.crl
		Hybrid ECC	GeoTrust EV ECC CA 2018	DigiCert High Assurance EV Root CA	Not available	http://cdp.geotrust.com/GeoTrustEVECCCA2018.crl
Thawte SSL RapidSSL SSL	DV/OV	Mixed RSA	Thawte RSA CA 2018	DigiCert Global Root CA	Not available	http://cdp.thawte.com/ThawteRSACA2018.crl
		Full RSA	Thawte TLS RSA CA G1	DigiCert Global Root G2	Not available	http://cdp.thawte.com/ThawteTLSRSACAG1.crl
		Hybrid ECC	Thawte ECC CA 2018	DigiCert Global Root CA	Not available	http://cdp.thawte.com/ThawteECCCA2018.crl
		Full ECC	Thawte TLS ECC CA G1	DigiCert Global Root G3	Not available	http://cdp.thawte.com/ThawteTLSECCCAG1.crl
	EV	Mixed RSA	Thawte EV RSA CA 2018	DigiCert High Assurance EV Root CA	Not available	http://cdp.thawte.com/ThawteEVRSACA2018.crl
		Full RSA	Thawte EV RSA CA G2	DigiCert Global Root G2	Not available	http://cdp.thawte.com/ThawteEVRSACAG2.crl
		Hybrid ECC	Thawte EV ECC CA 2018	DigiCert High Assurance EV Root CA	Not available	http://cdp.thawte.com/ThawteEVECCCA2018.crl
	DV	Mixed RSA	RapidSSL TLS DV RSA Mixed SHA256 2020 CA-1	DigiCert Global Root CA	Not available	http://crl3.digicert.com/RapidSSLTLSDVRSAMixedSHA2562020CA-1.crl http://crl4.digicert.com/RapidSSLTLSDVRSAMixedSHA2562020CA-1.crl
		Full RSA	RapidSSL TLS RSA CA G1	DigiCert Global Root G2	Not available	http://cdp.rapidssl.com/RapidSSLTLSRSACAG1.crl
		Hybrid ECC	RapidSSL ECC CA 2018	DigiCert Global Root CA	Not available	http://cdp.rapidssl.com/RapidSSLECCCA2018.crl
		Full ECC	RapidSSL TLS ECC CA G1	DigiCert Global Root G3	Not available	http://cdp.rapidssl.com/RapidSSLTLSECCCAG1.crl
Encryption Everywhere SSL	DV	Mixed RSA	Encryption Everywhere DV TLS CA - G1	DigiCert Global Root CA	Not available	http://crl3.digicert.com/EncryptionEverywhereDVTLSCA-G1.crl http://crl4.digicert.com/EncryptionEverywhereDVTLSCA-G1.crl
		Full RSA	Encryption Everywhere DV TLS CA - G2	DigiCert Global Root G2	Not available	http://crl3.digicert.com/EncryptionEverywhereDVTLSCA-G2.crl http://crl4.digicert.com/EncryptionEverywhereDVTLSCA-G2.crl
		Hybrid ECC	Encryption Everywhere ECC DV TLS CA	DigiCert Global Root CA	Not available	http://crl3.digicert.com/EncryptionEverywhereECCDVTLSCA.crl http://crl4.digicert.com/EncryptionEverywhereECCDVTLSCA.crl

For testing the individual DigiCert Root CA’s, please refer to the links in the table below:

Root CA	Test Site
DigiCert Global Root CA	https://global-root-ca.chain-demos.digicert.com/
DigiCert Global Root CA G2	https://global-root-g2.chain-demos.digicert.com/
DigiCert High Assurance EV Root CA	https://ev-root.chain-demos.digicert.com/
DigiCert Global Root G3	https://global-root-g3.chain-demos.digicert.com

If your corporate firewall and/or access control devices are configured to allow only a certain set of IP addresses to be accessed from your network, you'll need to include the following IP addresses.

192.16.58.8
117.18.237.29
93.184.220.29
72.21.91.29

Contact Support

Chat

Email

Select a Language

Chat

Email

Ask a Question

SSL/TLS OCSP and CRL in DigiCert new Web PKI hierarchy certificates

Description