On 9 June 2021, DigiCert made a change to their certificate issuance process. They updated seven default Intermediate Certificate Authorities (ICAs) used for issuing OV and EV SSL certificates. This change was made to restore compatibility with Google Chrome’s EV indicators.
OV and EV certificate orders issued after 9 June include updated ICAs in PEM files provided in CertCentral or email. Digicert recommends using the ICA provided with your certificate to ensure compatibility.
You will need to take action if any of the following applies:
- If you hardcode or manually manage your trust store. Digicert recommend all new ICAs be added/replaced.
- If your API calls use the ca_cert_id parameter to select any affected ICAs when requesting, reissuing, or duplicating a certificate, you must update your code to use the ID of the corresponding updated ICA.
- If you are using certificate pinning. If you pin to either the Subject Name or key pair, you do not need to make any changes. If you are pinning to any other field, such as serial number, you must update your pinning configuration immediately. Note that DigiCert advises against pinning because of operational risks.
This information is also available in their knowledge base article.
Brandsec is a corporate domain name management and brand protection company that looks after many of Australia, New Zealand and Asia’s top publicly listed brands. We provide monitoring and enforcement services, DNS, SSL Management, domain name brokerage and dispute management and brand security consultation services.