DigiCert is replacing multiple ICAs on November 2, 2020. 

ICAs are the intermediate certificates that chain your server's SSL back to the certificate authority's root certificate. Existing certificates should not be affected by the ICA replacement, but there are some cases in which you may need to take action.

How will the new ICAs affect my SSL certificate?

DigiCert will not remove the old ICA from certificate stores until all certificates issued from it have expired. Your existing SSL will remain trusted, and in most cases no action should be required.

DigiCert recommends taking action now if you practice any of the following:

  • Pin the old versions of replaced intermediate CA certificates
  • Hard code the acceptance of the old versions of replaced intermediate CA certificates
  • Operate a trust store that includes the old versions of replaced intermediate CA certificates

If you do any of the above, we recommend updating your environment as soon as possible. Stop pinning and hard coding ICA certificate acceptance, or make the necessary changes to ensure certificates issued from the new ICA certificates are trusted (in other words, can chain up to their ICA and trusted root certificates).

What ICAs are being replaced?

On November 2, 2020, DigiCert is replacing the ICAs listed below. We encourage you to update key stores, needed code, and certificate pinnings that may be in use. For a complete list of replacement ICAs, visit the DigiCert ICA Update Knowledgebase. 

  • DigiCert SHA2 Secure Server CA
  • DigiCert Baltimore CA-2 G2
  • DigiCert Global CA G2
  • DigiCert ECC Secure Server CA
  • DigiCert Baltimore CA-1 G2
  • DigiCert Global CA G3
  • DigiCert Trusted Server CA G4
  • DigiCert ECC Extended Validation Server CA
  • DigiCert Assured ID CA G2
  • DigiCert Extended Validation CA G3
  • DigiCert High Assurance CA-3
  • DigiCert EV Server CA G4

DigiCert Recommended Best Practices

Your SSL certificate download includes the proper ICA files. We recommend that you always include the provided ICA with every certificate you install. This has always been the recommended best practice to ensure ICA certificate replacements go unnoticed and to make sure certificates are trusted.