DigiCert new Web PKI hierarchy aims to modernize and streamline our SSL/TLS certificate offerings. DigiCert expects to issue all new public SSL/TLS certificates from the existing DigiCert public roots starting December 1, 2017. For details on these roots and intermediate CA certificates, please see INFO4562.
When you get the new public SSL/TLS certificates from the new roots, they have the new OCSP and CRL in the certificate profiles.
What does this affect me?
If your corporate firewall and/or access control devices are configured to allow only a certain set of URLs to be accessed from your network, you'll need to white-list the new entry on your firewall and/or access control devices to ensure seamless access to new OCSP and CRL. A list of new OCSP and CRL is available in the below table.
Note: The URI for the Certificate Revocation List (CRL) specified in your SSL/TLS certificate’s details may be different from what is listed in the table below. DigiCert serves our CRLs through Issuing Distribution Points (IDPs) to reduce the potential maximum size of our CRL files, which means CRL information location may change. Always look at your certificate to view the authoritative information about it (e.g., specific CRL URI for the certificate).
Additionally, all our OCSP requests originate from http://ocsp.digicert.com
Product Range | Product Type | Hierarchy | Intermediate CA | Root CA | Master Crl |
CRL |
---|---|---|---|---|---|---|
DigiCert SSL | OV | Mixed RSA | DigiCert TLS RSA SHA256 2020 CA1 | DigiCert Global Root CA | http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1.crl | http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crl |
Mixed RSA | DigiCert SHA2 Secure Server CA | DigiCert Global Root G3 | http://crl3.digicert.com/DigiCertSHA2SecureServerCA-master.crl" | http://crl3.digicert.com/DigiCertSHA2SecureServerCA-master.crl | ||
Full RSA | DigiCert Global G2 TLS RSA SHA256 2020 CA1 | DigiCert Global Root G2 | · http://crl3.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-master.crl | http://crl3.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-master.crl |
||
EV | Mixed RSA | DigiCert SHA2 Extended Validation Server CA | DigiCert High Assurance EV Root CA | http://crl3.digicert.com/sha2-evsca-master.crl | http://crl3.digicert.com/sha2-ev-server-g3.crl http://crl4.digicert.com/sha2-ev-server-g3.crl |
|
Full RSA | DigiCert EV RSA CA G2 | DigiCert Global Root G2 | http://crl3.digicert.com/DigiCertEVRSACAG2-master.crl | http://crl3.digicert.com/DigiCertEVRSACAG2.crl http://crl4.digicert.com/DigiCertEVRSACAG2.crl |
||
OV/EV | Hybrid ECC | DigiCert TLS Hybrid ECC SHA384 2020 CA1 | DigiCert Global Root CA | http://crl3.digicert.com/DigiCertTLSHybridECCSHA3842020CA1-master.crl | http://crl3.digicert.com/DigiCertTLSHybridECCSHA3842020CA1.crl http://crl4.digicert.com/DigiCertTLSHybridECCSHA3842020CA1.crl | |
Full ECC | DigiCert Global G3 TLS ECC SHA384 2020 CA1 | DigiCert Global Root G3 | http://crl3.digicert.com/DigiCertGlobalG3TLSECCSHA3842020CA1-master.crl | http://crl3.digicert.com/DigiCertGlobalG3TLSECCSHA3842020CA1.crl http://crl4.digicert.com/DigiCertGlobalG3TLSECCSHA3842020CA1.crl | ||
GeoTrust SSL | DV | Mixed RSA | GeoTrust TLS DV RSA Mixed SHA256 2020 CA-1 | DigiCert Global Root CA | Not available | |
Full RSA | GeoTrust TLS RSA CA G1 | DigiCert Global Root G2 | Not available | |||
OV | Mixed RSA | GeoTrust RSA CA 2018 | DigiCert Global Root CA | Not available | http://cdp.geotrust.com/GeoTrustRSACA2018.crl | |
Full RSA | DigiCert Global G2 TLS RSA SHA256 2020 CA1 | DigiCert Global Root G2 | Not available | http://crl3.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-master.crl | ||
DV/OV | Hybrid ECC | GeoTrust ECC CA 2018 |
DigiCert Global Root CA |
Not available | ||
Full ECC | GeoTrust TLS ECC CA G1 |
DigiCert Global Root G3 |
Not available | |||
EV | Mixed RSA | GeoTrust EV RSA CA 2018 |
DigiCert High Assurance EV Root CA |
Not available | ||
Full RSA | GeoTrust EV RSA CA G2 |
DigiCert Global Root G2 |
Not available | |||
Hybrid ECC | GeoTrust EV ECC CA 2018 |
DigiCert High Assurance EV Root CA |
Not available | |||
Thawte SSL RapidSSL SSL | DV/OV | Mixed RSA |
Thawte RSA CA 2018 |
DigiCert Global Root CA |
Not available | |
Full RSA |
Thawte TLS RSA CA G1 |
DigiCert Global Root G2 |
Not available | |||
Hybrid ECC |
Thawte ECC CA 2018 |
DigiCert Global Root CA |
Not available | |||
Full ECC |
Thawte TLS ECC CA G1 |
DigiCert Global Root G3 |
Not available | |||
EV | Mixed RSA |
Thawte EV RSA CA 2018 |
DigiCert High Assurance EV Root CA |
Not available | ||
Full RSA |
Thawte EV RSA CA G2 |
DigiCert Global Root G2 |
Not available | |||
Hybrid ECC |
Thawte EV ECC CA 2018 |
DigiCert High Assurance EV Root CA |
Not available | |||
DV | Mixed RSA |
RapidSSL TLS DV RSA Mixed SHA256 2020 CA-1 |
DigiCert Global Root CA |
Not available | ||
Full RSA |
RapidSSL TLS RSA CA G1 |
DigiCert Global Root G2 |
Not available | |||
Hybrid ECC |
RapidSSL ECC CA 2018 |
DigiCert Global Root CA |
Not available | |||
Full ECC |
RapidSSL TLS ECC CA G1 |
DigiCert Global Root G3 |
Not available | |||
Encryption Everywhere SSL | DV | Mixed RSA |
Encryption Everywhere DV TLS CA - G1 |
DigiCert Global Root CA |
Not available | |
Full RSA |
Encryption Everywhere DV TLS CA - G2 |
DigiCert Global Root G2 |
Not available | http://crl3.digicert.com/EncryptionEverywhereDVTLSCA-G2.crl http://crl4.digicert.com/EncryptionEverywhereDVTLSCA-G2.crl |
||
Hybrid ECC |
Encryption Everywhere ECC DV TLS CA |
DigiCert Global Root CA |
Not available | http://crl3.digicert.com/EncryptionEverywhereECCDVTLSCA.crl http://crl4.digicert.com/EncryptionEverywhereECCDVTLSCA.crl |
For testing the individual DigiCert Root CA’s, please refer to the links in the table below:
Root CA | Test Site |
---|---|
DigiCert Global Root CA |
https://global-root-ca.chain-demos.digicert.com/ |
DigiCert Global Root CA G2 |
|
DigiCert High Assurance EV Root CA |
|
DigiCert Global Root G3 |
If your corporate firewall and/or access control devices are configured to allow only a certain set of IP addresses to be accessed from your network, you'll need to include the following IP addresses.