Ask a Question

Advanced Search

Alert ID : INFO4896

Last Modified : 06/22/2018

OCSP and CRL for the Legacy Symantec TLS and Code Signing PKI Hierarchy

Description

For security and compliance best practices, we are updating the Online Certificate Status Protocol (OCSP) and Certificate Revocation List (CRL) infrastructure for legacy Symantec TLS and code signing certificates.


IP addresses for CRL in the legacy Symantec certificates were updated in May, 2018.

IP addressed for OCSP in the legacy Symantec certificates have not been updated. The activity to update OCSP has been put on hold for now.  
 

What this means to you

  1. If you have the firewall and/or access control devices that have policies with URLs below, no action required.
     
    • *.symantec.com
    • *.ws.symantec.com
    • *.symcb.com
    • *.symcd.com
       
  2. If you have the firewall and/or access control devices that have policies with IP addresses, it is strongly recommended that they should use URLs instead of IP addresses. We can change these IP addresses at any time without notification.

    If your corporate firewall and/or access control devices are configured to allow only a certain set of IP addresses to be accessed from your network, you'll need to take the following actions:
     
    1. Install or add the IP addresses to your existing list – do not replace the old IP addresses and your existing rules for the legacy Symantec OCSP and CRL IP addresses should not be deleted.

      72.21.91.29
      117.18.237.29
      93.184.220.29
      192.16.58.8