Description

Symantec new Web PKI hierarchy aims to modernize and streamline our SSL/TLS certificate offerings. Symantec expects to issue all new public SSL/TLS certificates from the existing DigiCert public roots starting December 1, 2017. For details on these roots and intermediate CA certificates, please see INFO4562.

When you get the new public SSL/TLS certificates from the new roots, they have the new OCSP and CRL in the certificate profiles.

• OCSP (Online Certificate Status Protocol) is an Internet protocol used to determine the state of an identified certificate.
• CRL (Certificate Revocation List) is a list of certificates that have been revoked prior to their expiration date.

What this means to you

If your corporate firewall and/or access control devices are configured to allow only a certain set of URLs to be accessed from your network, you'll need to white-list the new entry on your firewall and/or access control devices to ensure seamless access to new OCSP and CRL. A list of new OCSP and CRL is available in the below table.

Note: The URI for the Certificate Revocation List (CRL) specified in your SSL/TLS certificate’s details may be different from what is listed in the table below. DigiCert serves our CRLs through Issuing Distribution Points (IDPs) to reduce the potential maximum size of our CRL files, which means CRL information location may change. Always look at your certificate to view the authoritative information about it (e.g., specific CRL URI for the certificate).
 

If your corporate firewall and/or access control devices are configured to allow only a certain set of IP addresses to be accessed from your network, you'll need to include the following IP addresses.

• 192.16.58.8
• 117.18.237.29
• 93.184.220.29
• 72.21.91.29
• 66.225.197.197