Ask a Question

General Information ID : INFO4655

Last Modified : 05/03/2018

New Web PKI Hierarchy Details

Description

Symantec’s next generation Web PKI hierarchy aims to modernize and streamline our TLS certificate offerings. At the highest level, we will use existing DigiCert public roots for the new Web PKI Hierarchy certificates. We expect to issue all new Public TLS certificates from this hierarchy starting November 30, 2017.

Product Type Signature Algorithm Intermediate CA Name Trust Anchor Diagram
Standard EV SSL
Premium EV SSL
SHA-256 with RSA and SHA-1 root DigiCert SHA2 Extended Validation Server CA DigiCert High Assurance EV Root CA View
Standard EV SSL
Premium EV SSL
SHA-256 with RSA and SHA-256 root DigiCert Global CA G2 DigiCert Global Root G2 View
Premium EV SSL ECDSA with SHA-256 and RSA root DigiCert ECC Extended Validation Server CA DigiCert High Assurance EV Root CA View
Premium EV SSL ECDSA with SHA-256 and ECC root DigiCert Extended Validation CA G3 DigiCert Global Root G3 View
Standard SSL
Premium SSL
Standard Intranet SSL
Premium Intranet SSL
Wildcard SSL
OFX
SHA-256 with RSA and SHA-1 root DigiCert SHA2 Secure Server CA DigiCert Global Root CA View
Standard SSL
Premium SSL
Standard Intranet SSL
Premium Intranet SSL
Wildcard SSL
OFX
SHA-256 with RSA and SHA-256 root DigiCert Global CA G2 DigiCert Global Root G2 View
Premium SSL
Premium Intranet SSL
ECDSA with SHA-256 and RSA root DigiCert ECC Secure Server CA DigiCert Global Root CA View
Premium SSL
Premium Intranet SSL SSL                  
ECDSA with SHA-256 and ECC root DigiCert Global CA G3 DigiCert Global Root G3 View
RapidSSL Enterprise SHA-256 with RSA and SHA-1 root RapidSSL RSA CA 2018 DigiCert Global Root CA View
RapidSSL Enterprise SHA-256 with RSA and SHA-256 root RapidSSL TLS RSA CA G1 DigiCert Global Root G2 View


 

Check lists for new Public TLS certificates

Here are the check lists when you get the new Public TLS certificates.

  • Check your internal firewall policy for new OCSP/CRL URLs with IT team
    INFO4621 SSL/TLS OCSP and CRL in Symantec new Web PKI hierarchy certificates
     
  • Check your non-browser application with your developers if it accepts the new certificate profiles (No action required for browser application)
    INFO4622 Certificate Profile Changes in Symantec new Web PKI hierarchy certificates
     
  • Make sure to install the new Intermediate CA certificate to servers
    1. Subscribers create a CSR (no DN changes required)
    2. Subscribers submit a CSR through the Symantec console/API
    3. Administrator approves the requests
    4. Symantec sends subscribers the approval emails including;
      1. X.509 end-entity cert when they select the server type except Microsoft
      2. PKCS #7B cert when they select Microsoft server type
    5. For the case of X.509 end-entity cert, you are required to go to the Symantec Certificate Download Center (CDC) to get the Intermediate CA
      1. The link to the CDC is included in the approval email
      2. Subscribers download a zip file including X.509 end-entity, an Intermediate CA files
      3. Subscribers install these files to servers
        INFO113 Managed PKI for SSL - Installation Instructions
    6. For the case of PKCS #7B cert, it includes an end-entity and an Intermediate CA files. Subscribers install the PKCS #7B file to Microsoft IIS server.

 

You can obtain the new Roots and Intermediate CAs from the attachment below.