RRPproxy Homepage
RRPproxy Homepage

DigiCert ICA Rollover

DigiCert Rotating Intermediate CA Policy

On Thursday July 30, DigiCert will begin rotating intermediate CA certificates (ICAs) on a 6-month rolling basis. They will start the first of many intermediate CA certificate (ICA) rotations on July 30, 2020 between 15:00 – 17:00 UTC with GeoTrust DV and RapidSSL DV mixed SHA-256 chains' ICAs.

Note: Certificate Authorities (CAs) use intermediate CA (ICA) certificates to issue certificates such as your SSL/TLS certificates. The ICA certificate links your certificate to the trusted root certificate enabling browsers and other applications to trust it.

You can monitor the DigiCert Intermediate CA certificate Replacement schedule for more information about coming changes:
https://knowledge.digicert.com/alerts/DigiCert-ICA-Update
This is an active page that we will keep updated with release timelines for all ICA certificate replacements.

How does this affect me?

SSL/TLS certificate and ICA installation should go hand in hand. We advise you to always include the provided ICA with every SSL/TLS certificate you install. This has always been the recommended best practice to ensure ICA replacements go unnoticed.

The July 30 ICA rollouts affect GeoTrust DV and RapidSSL DV certificates and no action is required unless you do any of the following:

Pin the old versions of the GeoTrust DV and RapidSSL DV intermediate CA certificates

Hard code the acceptance of the old versions of the GeoTrust DV and RapidSSL DV intermediate CA certificates

Operate a trust store that includes the old versions of the GeoTrust DV and RapidSSL DV intermediate CA certificates

If you do any of the above, we recommend updating your environment as soon as possible to either stop pinning and hard coding ICAs or to make the necessary changes to ensure GeoTrust DV and RapidSSL DV certificates issued from the new ICAs are trusted (in other words, can chain up to their ICA and trusted root).

To download copies of DigiCert Roots and Intermediate CA certificates, see the DigiCert Trusted Root Authority Certificates page:
https://www.digicert.com/kb/digicert-root-certificates.htm

Note: Rolling out new ICAs does not affect existing certificates. DigiCert doesn't remove the old ICA until all the certificates issued from it have expired. This means active certificates issued from the replaced ICA will continue to be trusted.

Why is DigiCert changing to a rotating intermediate CA certificate policy?

DigiCert is implementing this new policy to:

Promote customer agility with ICA replacement

Reduce the scope of certificate issuance from any given ICA to mitigate the impact of changes in industry and CA/Browser Forum guidelines to intermediate and end-entity certificates

Wedomains :)