Ask a Question

Advanced Search

Alert ID : INFO4629

Last Modified : 06/20/2018

Share Via Email

  • WSS

SSL/TLS OCSP and CRL in Symantec new Web PKI hierarchy certificates

Description

Symantec new Web PKI hierarchy aims to modernize and streamline our SSL/TLS certificate offerings. Symantec expects to issue all new public SSL/TLS certificates from the existing DigiCert public roots starting December 1, 2017. For details on these roots and intermediate CA certificates, please see INFO4562.

When you get the new public SSL/TLS certificates from the new roots, they have the new OCSP and CRL in the certificate profiles.

  • OCSP (Online Certificate Status Protocol) is an Internet protocol used to determine the state of an identified certificate.
  • CRL (Certificate Revocation List) is a list of certificates that have been revoked prior to their expiration date.


What this means to you

If your corporate firewall and/or access control devices are configured to allow only a certain set of URLs to be accessed from your network, you'll need to white-list the new entry on your firewall and/or access control devices to ensure seamless access to new OCSP and CRL. A list of new OCSP and CRL is available in the below table.


Note: The URI for the Certificate Revocation List (CRL) specified in your SSL/TLS certificate’s details may be different from what is listed in the table below. DigiCert serves our CRLs through Issuing Distribution Points (IDPs) to reduce the potential maximum size of our CRL files, which means CRL information location may change. Always look at your certificate to view the authoritative information about it (e.g., specific CRL URI for the certificate).
 

Product Hierarchy Intermediate CA Root CA OCSP CRL Test Site
OV Mixed SHA256     DigiCert SHA2 Secure Server CA DigiCert Global Root CA http://ocsp.digicert.com http://crl3.digicert.com/ssca-sha2-g5.crl
http://crl4.digicert.com/ssca-sha2-g5.crl
                                                                		 https://global-root-ca.chain-demos.digicert.com/
                                            
OV/EV Full SHA256 DigiCert Global CA G2 DigiCert Global Root CA G2 http://ocsp.digicert.com http://crl3.digicert.com/DigiCertGlobalCAG2.crl
http://crl4.digicert.com/DigiCertGlobalCAG2.crl
 		 https://global-root-g2.chain-demos.digicert.com/
EV Mixed SHA256 DigiCert SHA2 Extended Validation Server CA
DigiCert High Assurance EV Root CA		 http://ocsp.digicert.com http://crl3.digicert.com/sha2-ha-server-g5.crl
http://crl4.digicert.com/sha2-ha-server-g5.crl		 https://ev-root.chain-demos.digicert.com/
EV Full ECC DigiCert Extended Validation CA G3 DigiCert Global Root G3 http://ocsp.digicert.com http://crl3.digicert.com/evca-g3-group1.crl
http://crl4.digicert.com/evca-g3-group1.crl		 https://global-root-g3.chain-demos.digicert.com

 

If your corporate firewall and/or access control devices are configured to allow only a certain set of IP addresses to be accessed from your network, you'll need to include the following IP addresses.

  • 192.16.58.8
  • 117.18.237.29
  • 93.184.220.29
  • 72.21.91.29
  • 66.225.197.197