Ask a Question

Advanced Search

Alert ID : INFO4629

Last Modified : 12/02/2021

SSL/TLS OCSP and CRL in DigiCert new Web PKI hierarchy certificates

Description

DigiCert new Web PKI hierarchy aims to modernize and streamline our SSL/TLS certificate offerings. DigiCert expects to issue all new public SSL/TLS certificates from the existing DigiCert public roots starting December 1, 2017. For details on these roots and intermediate CA certificates, please see INFO4562.

 

When you get the new public SSL/TLS certificates from the new roots, they have the new OCSP and CRL in the certificate profiles.

  • OCSP (Online Certificate Status Protocol) is an Internet protocol used to determine the state of an identified certificate.
  • CRL (Certificate Revocation List) is a list of certificates that have been revoked prior to their expiration date.


What does this affect me?

If your corporate firewall and/or access control devices are configured to allow only a certain set of URLs to be accessed from your network, you'll need to white-list the new entry on your firewall and/or access control devices to ensure seamless access to new OCSP and CRL. A list of new OCSP and CRL is available in the below table.


Note: The URI for the Certificate Revocation List (CRL) specified in your SSL/TLS certificate’s details may be different from what is listed in the table below. DigiCert serves our CRLs through Issuing Distribution Points (IDPs) to reduce the potential maximum size of our CRL files, which means CRL information location may change. Always look at your certificate to view the authoritative information about it (e.g., specific CRL URI for the certificate).
Additionally, all our OCSP requests originate from http://ocsp.digicert.com

Product Range Product Type Hierarchy Intermediate CA Root CA CRL
DigiCert SSL OV Mixed RSA DigiCert TLS RSA SHA256 2020 CA1 DigiCert Global Root CA http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crl

Full RSA DigiCert Global G2 TLS RSA SHA256 2020 CA1 DigiCert Global Root G2 http://crl3.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-master.crl

EV Mixed RSA DigiCert SHA2 Extended Validation Server CA DigiCert High Assurance EV Root CA http://crl3.digicert.com/sha2-ev-server-g3.crl
http://crl4.digicert.com/sha2-ev-server-g3.crl
Full RSA DigiCert EV RSA CA G2 DigiCert Global Root G2 http://crl3.digicert.com/DigiCertEVRSACAG2.crl 
http://crl4.digicert.com/DigiCertEVRSACAG2.crl
OV/EV Hybrid ECC DigiCert TLS Hybrid ECC SHA384 2020 CA1 DigiCert Global Root CA http://crl3.digicert.com/DigiCertTLSHybridECCSHA3842020CA1.crl http://crl4.digicert.com/DigiCertTLSHybridECCSHA3842020CA1.crl
Full ECC DigiCert Global G3 TLS ECC SHA384 2020 CA1 DigiCert Global Root G3 http://crl3.digicert.com/DigiCertGlobalG3TLSECCSHA3842020CA1.crl http://crl4.digicert.com/DigiCertGlobalG3TLSECCSHA3842020CA1.crl
GeoTrust SSL DV Mixed RSA GeoTrust TLS DV RSA Mixed SHA256 2020 CA-1 DigiCert Global Root CA

http://crl3.digicert.com/GeoTrustTLSDVRSAMixedSHA2562020CA-1.crl http://crl4.digicert.com/GeoTrustTLSDVRSAMixedSHA2562020CA-1.crl

Full RSA GeoTrust TLS RSA CA G1 DigiCert Global Root G2

http://cdp.geotrust.com/GeoTrustTLSRSACAG1.crl

OV Mixed RSA DigiCert SHA2 Secure Server CA DigiCert Global Root CA http://crl3.digicert.com/DigiCertSHA2SecureServerCA-master.crl
Mixed RSA GeoTrust RSA CA 2018 DigiCert Global Root CA http://cdp.geotrust.com/GeoTrustRSACA2018.crl
Mixed RSA DigiCert TLS RSA SHA256 2020 CA1 DigiCert Global Root CA http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crl
Full RSA DigiCert Global G2 TLS RSA SHA256 2020 CA1 DigiCert Global Root G2 http://crl3.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-master.crl
DV/OV Hybrid ECC

GeoTrust ECC CA 2018

DigiCert Global Root CA

http://cdp.geotrust.com/GeoTrustECCCA2018.crl

Full ECC

GeoTrust TLS ECC CA G1

DigiCert Global Root G3

http://cdp.geotrust.com/GeoTrustTLSECCCAG1.crl

EV Mixed RSA

GeoTrust EV RSA CA 2018

DigiCert High Assurance EV Root CA

http://cdp.geotrust.com/GeoTrustEVRSACA2018.crl

Full RSA

GeoTrust EV RSA CA G2

DigiCert Global Root G2

http://cdp.geotrust.com/GeoTrustEVRSACAG2.crl

Hybrid ECC

GeoTrust EV ECC CA 2018

DigiCert High Assurance EV Root CA

http://cdp.geotrust.com/GeoTrustEVECCCA2018.crl

Thawte SSL RapidSSL SSL DV/OV

Mixed RSA

Thawte RSA CA 2018

DigiCert Global Root CA

http://cdp.thawte.com/ThawteRSACA2018.crl

Full RSA

Thawte TLS RSA CA G1

DigiCert Global Root G2

http://cdp.thawte.com/ThawteTLSRSACAG1.crl

Hybrid ECC

Thawte ECC CA 2018

DigiCert Global Root CA

http://cdp.thawte.com/ThawteECCCA2018.crl

Full ECC

Thawte TLS ECC CA G1

DigiCert Global Root G3

http://cdp.thawte.com/ThawteTLSECCCAG1.crl

EV

Mixed RSA

Thawte EV RSA CA 2018

DigiCert High Assurance EV Root CA

http://cdp.thawte.com/ThawteEVRSACA2018.crl

Full RSA

Thawte EV RSA CA G2

DigiCert Global Root G2

http://cdp.thawte.com/ThawteEVRSACAG2.crl

Hybrid ECC

Thawte EV ECC CA 2018

DigiCert High Assurance EV Root CA

http://cdp.thawte.com/ThawteEVECCCA2018.crl

DV

Mixed RSA

RapidSSL TLS DV RSA Mixed SHA256 2020 CA-1

DigiCert Global Root CA

http://crl3.digicert.com/RapidSSLTLSDVRSAMixedSHA2562020CA-1.crl http://crl4.digicert.com/RapidSSLTLSDVRSAMixedSHA2562020CA-1.crl

Full RSA

RapidSSL TLS RSA CA G1

DigiCert Global Root G2

http://cdp.rapidssl.com/RapidSSLTLSRSACAG1.crl

Hybrid ECC

RapidSSL ECC CA 2018

DigiCert Global Root CA

http://cdp.rapidssl.com/RapidSSLECCCA2018.crl

Full ECC

RapidSSL TLS ECC CA G1

DigiCert Global Root G3

http://cdp.rapidssl.com/RapidSSLTLSECCCAG1.crl

Encryption Everywhere SSL DV

Mixed RSA

Encryption Everywhere DV TLS CA - G1

DigiCert Global Root CA

http://crl3.digicert.com/EncryptionEverywhereDVTLSCA-G1.crl http://crl4.digicert.com/EncryptionEverywhereDVTLSCA-G1.crl

Full RSA

Encryption Everywhere DV TLS CA - G2

DigiCert Global Root G2

http://crl3.digicert.com/EncryptionEverywhereDVTLSCA-G2.crl http://crl4.digicert.com/EncryptionEverywhereDVTLSCA-G2.crl

Hybrid ECC

Encryption Everywhere ECC DV TLS CA

DigiCert Global Root CA

http://crl3.digicert.com/EncryptionEverywhereECCDVTLSCA.crl http://crl4.digicert.com/EncryptionEverywhereECCDVTLSCA.crl

 

For testing the individual DigiCert Root CA’s, please refer to the links in the table below:

Root CA Test Site

DigiCert Global Root CA

https://global-root-ca.chain-demos.digicert.com/

DigiCert Global Root CA G2

https://global-root-g2.chain-demos.digicert.com/

DigiCert High Assurance EV Root CA

https://ev-root.chain-demos.digicert.com/

DigiCert Global Root G3

https://global-root-g3.chain-demos.digicert.com

 

If your corporate firewall and/or access control devices are configured to allow only a certain set of IP addresses to be accessed from your network, you'll need to include the following IP addresses.

  • 192.16.58.8
  • 117.18.237.29
  • 93.184.220.29
  • 72.21.91.29
  • 66.225.197.197