RRPproxy Homepage
RRPproxy Homepage

DigiCert ICA Rollover

DigiCert regularly Rotating Intermediate CAs

DigiCert is currently rotating intermediate CA certificates (ICAs) on a 6-month rolling basis. You can monitor the DigiCert Intermediate CA certificate Replacement schedule for more information about coming changes:

https://knowledge.digicert.com/alerts/DigiCert-ICA-Update

This is an active page that DigiCert keeps updated with release timelines for all ICA certificate replacements.

Certificate Authorities (CAs) use intermediate CA (ICA) certificates to issue certificates such as your SSL/TLS certificates. The ICA certificate links your certificate to the trusted root certificate enabling browsers and other applications to trust it.

Existing Certificates not affected

Rolling out new ICA certificates does not affect your customers' existing DV certificates. Active certificates issued from the replaced ICA certificate will remain trusted until they expire.

How does this affect your customers?

The ICA certificate replacements only affect respective certificates, i.e. not all DigiCert certificates are affected by an ICA rollover.

TLS certificate and ICA certificate installation should go hand in hand. To ensure ICA certificate replacements go unnoticed, always include the provided ICA certificate with every TLS certificate you install.

No action is required unless your customers do any of the following:

  • Pin the old versions of intermediate CA certificates
  • Hard code the acceptance of the old versions of intermediate CA certificates
  • Operate a trust store that includes the old versions of intermediate CA certificates

Action required

If your customers practice pinning, hard code acceptance, or operate a trust store, update your environment as soon as possible. They should stop pinning and hard coding ICA certificate trust or make the necessary changes to ensure their certificates issued from the new ICA certificates are trusted. In other words, make sure they can chain up to their new ICA certificate and trusted root). See the DigiCert ICA Update knowledge base article: https://knowledge.digicert.com/alerts/DigiCert-ICA-Update.html

Intermediate CA and Root CA replacements and downloads

These intermediate CA certificates below chain to the DigiCert Global Root CA certificate. See the DigiCert Trusted Root Authority Certificates page at https://www.digicert.com/kb/digicert-root-certificates.htm to download copies of the new Intermediate CA certificates.

Wedomains :)