General Information ID : INFO4629
Symantec new Web PKI hierarchy aims to modernize and streamline our SSL/TLS certificate offerings. Symantec expects to issue all new public SSL/TLS certificates from the existing DigiCert public roots starting December 1, 2017. For details on these roots and intermediate CA certificates, please see INFO4562.
When you get the new public SSL/TLS certificates from the new roots, they have the new OCSP and CRL in the certificate profiles.
What this means to you
If your corporate firewall and/or access control devices are configured to allow only a certain set of URLs to be accessed from your network, you'll need to white-list the new entry on your firewall and/or access control devices to ensure seamless access to new OCSP and CRL. A list of new OCSP and CRL is available in the below table.
Note: The URI for the Certificate Revocation List (CRL) specified in your SSL/TLS certificate’s details may be different from what is listed in the table below. DigiCert serves our CRLs through Issuing Distribution Points (IDPs) to reduce the potential maximum size of our CRL files, which means CRL information location may change. Always look at your certificate to view the authoritative information about it (e.g., specific CRL URI for the certificate).
|Product||Hierarchy||Intermediate CA||Root CA||OCSP||CRL||Test Site|
|OV||Mixed SHA256||DigiCert SHA2 Secure Server CA||DigiCert Global Root CA||http://ocsp.digicert.com||http://crl3.digicert.com/ssca-sha2-g5.crl
|OV/EV||Full SHA256||DigiCert Global CA G2||DigiCert Global Root CA G2||http://ocsp.digicert.com||http://crl3.digicert.com/DigiCertGlobalCAG2.crl
|EV||Mixed SHA256||DigiCert SHA2 Extended Validation Server CA||
DigiCert High Assurance EV Root CA
|EV||Full ECC||DigiCert Extended Validation CA G3||DigiCert Global Root G3||http://ocsp.digicert.com||http://crl3.digicert.com/evca-g3-group1.crl
If your corporate firewall and/or access control devices are configured to allow only a certain set of IP addresses to be accessed from your network, you'll need to include the following IP addresses.