Alert ID : INFO4629
Last Modified : 12/02/2021
DigiCert new Web PKI hierarchy aims to modernize and streamline our SSL/TLS certificate offerings. DigiCert expects to issue all new public SSL/TLS certificates from the existing DigiCert public roots starting December 1, 2017. For details on these roots and intermediate CA certificates, please see INFO4562.
When you get the new public SSL/TLS certificates from the new roots, they have the new OCSP and CRL in the certificate profiles.
What does this affect me?
If your corporate firewall and/or access control devices are configured to allow only a certain set of URLs to be accessed from your network, you'll need to white-list the new entry on your firewall and/or access control devices to ensure seamless access to new OCSP and CRL. A list of new OCSP and CRL is available in the below table.
Note: The URI for the Certificate Revocation List (CRL) specified in your SSL/TLS certificate’s details may be different from what is listed in the table below. DigiCert serves our CRLs through Issuing Distribution Points (IDPs) to reduce the potential maximum size of our CRL files, which means CRL information location may change. Always look at your certificate to view the authoritative information about it (e.g., specific CRL URI for the certificate).
Additionally, all our OCSP requests originate from http://ocsp.digicert.com
| Product Range | Product Type | Hierarchy | Intermediate CA | Root CA | CRL |
|---|---|---|---|---|---|
| DigiCert SSL | OV | Mixed RSA | DigiCert TLS RSA SHA256 2020 CA1 | DigiCert Global Root CA | http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crl |
| Full RSA | DigiCert Global G2 TLS RSA SHA256 2020 CA1 | DigiCert Global Root G2 | http://crl3.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-master.crl |
||
| EV | Mixed RSA | DigiCert SHA2 Extended Validation Server CA | DigiCert High Assurance EV Root CA | http://crl3.digicert.com/sha2-ev-server-g3.crl http://crl4.digicert.com/sha2-ev-server-g3.crl |
|
| Full RSA | DigiCert EV RSA CA G2 | DigiCert Global Root G2 | http://crl3.digicert.com/DigiCertEVRSACAG2.crl http://crl4.digicert.com/DigiCertEVRSACAG2.crl |
||
| OV/EV | Hybrid ECC | DigiCert TLS Hybrid ECC SHA384 2020 CA1 | DigiCert Global Root CA | http://crl3.digicert.com/DigiCertTLSHybridECCSHA3842020CA1.crl http://crl4.digicert.com/DigiCertTLSHybridECCSHA3842020CA1.crl | |
| Full ECC | DigiCert Global G3 TLS ECC SHA384 2020 CA1 | DigiCert Global Root G3 | http://crl3.digicert.com/DigiCertGlobalG3TLSECCSHA3842020CA1.crl http://crl4.digicert.com/DigiCertGlobalG3TLSECCSHA3842020CA1.crl | ||
| GeoTrust SSL | DV | Mixed RSA | GeoTrust TLS DV RSA Mixed SHA256 2020 CA-1 | DigiCert Global Root CA | |
| Full RSA | GeoTrust TLS RSA CA G1 | DigiCert Global Root G2 | |||
| OV | Mixed RSA | DigiCert SHA2 Secure Server CA | DigiCert Global Root CA | http://crl3.digicert.com/DigiCertSHA2SecureServerCA-master.crl | |
| Mixed RSA | GeoTrust RSA CA 2018 | DigiCert Global Root CA | http://cdp.geotrust.com/GeoTrustRSACA2018.crl | ||
| Mixed RSA | DigiCert TLS RSA SHA256 2020 CA1 | DigiCert Global Root CA | http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crl | ||
| Full RSA | DigiCert Global G2 TLS RSA SHA256 2020 CA1 | DigiCert Global Root G2 | http://crl3.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-master.crl | ||
| DV/OV | Hybrid ECC | GeoTrust ECC CA 2018 |
DigiCert Global Root CA |
||
| Full ECC | GeoTrust TLS ECC CA G1 |
DigiCert Global Root G3 |
|||
| EV | Mixed RSA | GeoTrust EV RSA CA 2018 |
DigiCert High Assurance EV Root CA |
||
| Full RSA | GeoTrust EV RSA CA G2 |
DigiCert Global Root G2 |
|||
| Hybrid ECC | GeoTrust EV ECC CA 2018 |
DigiCert High Assurance EV Root CA |
|||
| Thawte SSL RapidSSL SSL | DV/OV | Mixed RSA |
Thawte RSA CA 2018 |
DigiCert Global Root CA |
|
Full RSA |
Thawte TLS RSA CA G1 |
DigiCert Global Root G2 |
|||
Hybrid ECC |
Thawte ECC CA 2018 |
DigiCert Global Root CA |
|||
Full ECC |
Thawte TLS ECC CA G1 |
DigiCert Global Root G3 |
|||
| EV | Mixed RSA |
Thawte EV RSA CA 2018 |
DigiCert High Assurance EV Root CA |
||
Full RSA |
Thawte EV RSA CA G2 |
DigiCert Global Root G2 |
|||
Hybrid ECC |
Thawte EV ECC CA 2018 |
DigiCert High Assurance EV Root CA |
|||
| DV | Mixed RSA |
RapidSSL TLS DV RSA Mixed SHA256 2020 CA-1 |
DigiCert Global Root CA |
||
Full RSA |
RapidSSL TLS RSA CA G1 |
DigiCert Global Root G2 |
|||
Hybrid ECC |
RapidSSL ECC CA 2018 |
DigiCert Global Root CA |
|||
Full ECC |
RapidSSL TLS ECC CA G1 |
DigiCert Global Root G3 |
|||
| Encryption Everywhere SSL | DV | Mixed RSA |
Encryption Everywhere DV TLS CA - G1 |
DigiCert Global Root CA |
|
Full RSA |
Encryption Everywhere DV TLS CA - G2 |
DigiCert Global Root G2 |
http://crl3.digicert.com/EncryptionEverywhereDVTLSCA-G2.crl http://crl4.digicert.com/EncryptionEverywhereDVTLSCA-G2.crl |
||
Hybrid ECC |
Encryption Everywhere ECC DV TLS CA |
DigiCert Global Root CA |
http://crl3.digicert.com/EncryptionEverywhereECCDVTLSCA.crl http://crl4.digicert.com/EncryptionEverywhereECCDVTLSCA.crl |
For testing the individual DigiCert Root CA’s, please refer to the links in the table below:
| Root CA | Test Site |
|---|---|
DigiCert Global Root CA |
https://global-root-ca.chain-demos.digicert.com/ |
DigiCert Global Root CA G2 |
|
DigiCert High Assurance EV Root CA |
|
DigiCert Global Root G3 |
If your corporate firewall and/or access control devices are configured to allow only a certain set of IP addresses to be accessed from your network, you'll need to include the following IP addresses.
