On November 2, 2020, DigiCert is replacing multiple intermediate CA certificates. Here is everything you need to know about the upcoming changes.
What are ICAs?
ICAs (intermediate CA certificates) are certificates issued by the Certificate Authority that chain your website’s SSL certificate back to the CA’s root certificate trusted by browsers. ICAs help the browser trust your SSL certificate.
How do new ICA certificates affect me?
In many cases, no action is required. Existing certificates that use the old ICAs will not be impacted. DigiCert will not remove the old ICA from certificate stores until all certificates issued from it have expired, so any SSL issued under the old ICAs will remain trusted.
You will need to take action ASAP if you:
- Pin the old versions of replaced intermediate CA certificates
- Hard code the acceptance of the old versions of replaced intermediate CA certificates
- Operate a trust store that includes the old versions of replaced intermediate CA certificates
If you do any of the above, we recommend updating your environment as soon as possible. Stop pinning and hard coding ICA certificate acceptance, or make the necessary changes to ensure certificates issued from the new ICA certificates are trusted (in other words, can chain up to their ICA and trusted root certificates).
Your SSL certificate download includes the proper ICA files. We recommend that you always include the provided ICA with every certificate you install. This has always been the recommended best practice to ensure ICA certificate replacements go unnoticed and to make sure certificates are trusted. Also, don’t pin or hardcode ICAs!
What ICAs are being replaced?
On November 2, 2020, DigiCert is replacing the ICAs listed below. We encourage you to update key stores, needed code, and certificate pinnings that may be in use.
- DigiCert SHA2 Secure Server CA
- DigiCert Baltimore CA-2 G2
- DigiCert Global CA G2
- DigiCert ECC Secure Server CA
- DigiCert Baltimore CA-1 G2
- DigiCert Global CA G3
- DigiCert Trusted Server CA G4
- DigiCert ECC Extended Validation Server CA
- DigiCert Assured ID CA G2
- DigiCert Extended Validation CA G3
- DigiCert High Assurance CA-3
- DigiCert EV Server CA G4
For a full list of the replacement ICA files, check the DigiCert ICA Update knowledgbase article.