UPDATE: Product / Service Changes
* Updates as of 20 December 2017
This microsite describes ongoing updates to the products and services available via our Indirect Partner Channel for SSL/TLS products, beginning 6 November 2017. Because some of these changes might affect your operations or your customers, we ask you to please read this site and take action on items pertaining to your usage.
Overview of changes:
|Current Value / Behavior||New Value / Behavior|
|PKI Hierarchy / intermediate CAs||Existing hierarchy / intermediates||New hierarchy + intermediates|
|Maximum SAN fields||100||250|
|Certificate Transparency (CT)||Redaction supported||Optionally not log redacted SSL certificates|
|Algorithm Agility||Support for RSA, DSA and ECC||Support for RSA and ECC|
|MPKI for SSL GetAlternative option||Supported||Discontinued|
|Changing the DV approver email address||Supported||Suspended|
|Partner-customized emails (specifically for domain approvals and revocation requests) for WHOIS authentication||Supported||Discontinued, but replaced by language-specific approver emails|
|Ready Issuance via SOAP API||Supported||Suspended|
|Approve and Push Order State operations via Modify Order API||Supported||Deprecated, but will be replaced by a new process|
|Switching from DNS/file authentication to WHOIS authentication||Supported||Suspended, but with manual mitigation available; anticipated to be resumed in the future|
|DNS Authentication Revocation||Support for revocation via a random string DNS authentication method||Suspended, but anticipated to be resumed in the future|
|DV “Other” contact request for WHOIS authentication||DV customer can request a new authorization contact by selecting “Other” as part of the order flow||Temporary option to send approval email to all emails in the WHOIS record, including the order’s pre-determined email addresses. Other option is anticipated to be resumed in the future|
|Special Instructions||Supported||Temporarily will not be sent to DigiCert; anticipated to be resumed in the future|
|Validate Order Parameters (VOP) and associated responses||Supported||Available but may require extra validation steps by DigiCert, and will not check/return CAA|
Implementation of new Web PKI Hierarchy
We updated our Web PKI hierarchy to modernize and streamline our Public SSL/TLS certificate offerings, and align with changes requested by the browser community. We are issuing all new Public SSL/TLS certificates from new intermediate CAs as of December 1, 2017.
These changes apply to all Domain Validation (DV), Organization Validation (OV) and Extended Validation (EV) SSL/TLS certificates across all of our Website Security brands (GeoTrust, RapidSSL, Symantec, and Thawte) plus white-labeled DV certificates.
Please refer to these webinars:
- Ensuring a Smooth Transition for Your Symantec Certificates
- Symantec - NEW Root Hierarchy technical discussion and Q&A
- GeoTrust, Thawte, RapidSSL: new root hierarchy technical discussion + Q&A
Please refer to these knowledgebase articles:
- New Web PKI Hierarchy Details
- GeoTrust Intermediate and Root CA Certificates
- SSL/TLS OCSP and CRL in GeoTrust new Web PKI hierarchy certificates
- GeoTrust Partner Platform Pre-Production Environment - Root & Intermediate CA Certificates
- RapidSSL - New Web PKI Hierarchy Details
- RapidSSL Intermediate and Root CA Certificates
- RSA SHA-1 DigiCert Global Root CA
- Intermediate CA Certificate: RapidSSL RSA CA 2018
- SSL/TLS OCSP and CRL in RapidSSL new Web PKI hierarchy certificates
- RapidSSL Partner Platform Pre-Production Environment - Root & Intermediate CA Certificates
- New Web PKI Hierarchy Details for Complete Website Security (CWS) and Managed PKI for SSL
- New Web PKI Hierarchy Details for Trust Center Enterprise, Trust Center, and Partners
- SSL Intermediate and Root CA Certificates
- SSL/TLS OCSP and CRL in Symantec new Web PKI hierarchy certificates
- Symantec Partner Platform Pre-Production Environment - Root & Intermediate CA Certificates
- Thawte - New Web PKI Hierarchy Details
- Thawte Intermediate & Root CA Certificates for SSL
- SSL/TLS OCSP and CRL in Thawte new Web PKI hierarchy certificates
- Thawte Partner Platform Pre-Production Environment - Root & Intermediate CA Certificates
Increasing SAN fields maximum to 250
We have expanded the number of available SAN fields in many SSL/TLS certificate products to a maximum of 250 SANs per certificate. This increase applies to EV and OV SSL/TLS certificates across the GeoTrust, Symantec and Thawte brands. This capability enables customers with a large number of domains but limited number of IP addresses to secure their portfolio with fewer SSL certificates.
Changes to Certificate Transparency (CT)
We intend to update the way that we handle Certificate Transparency (CT). We will continue to support CT, but we remain strong proponents of protecting the privacy of customers’ network topology. While we work with the browser community to come to agreement on the details of those protections, we may choose to stop support for redaction and instead offer the option to not log redacted SSL certificates on our CT redacted log server. The obvious consequence of a customer choosing not to log such certificates would be automatic distrust by the Chrome browser, but would include the uniform inability for any person or entity to monitor those certificates on any CT server.
Discontinuation of SSL/TLS certificates using the DSA algorithm
We no longer offer new DSA certificates, nor do we renew or replace existing DSA certificates. Validity of existing DSA certificates will continue until their expiration dates.
Discontinuation of GetAlternative option in Managed PKI for SSL
This option will be discontinued and removed from Managed PKI for SSL.
Changes related to CA Partner operations
In order to meet the requirements of the browser community and prevent browser warnings, our backend authentication processes are handled via DigiCert authentication.
- Pre-authentication for Managed PKI for SSL customers: In order to maintain complete continuity in service, Managed PKI for SSL customers have received communication asking that they pre-authenticate in advance of transition of the authentication process. They have heard from Managed PKI for SSL representatives to assist them through this process. After completing pre-authentication, they have been enabled to continue using their current tools as beforehand while benefiting from instant issuance from the new intermediate CAs based on the data pre-authenticated by DigiCert, thereby preventing issuance delays.
- Product/service changes related to CA Partner operations: As a result of this transition of authentication functions, these specific changes within the partner portal or APIs will be affected:
- Suspension of ability to change the approver email address for DV orders: This API and Partner Portal capability will be suspended, but is anticipated to be resumed by DigiCert in the future.
- Disabling of partner-customized emails (specifically for domain approvals and revocation requests) where the authentication method is WHOIS: These emails will instead be sent from DigiCert, with the ability to send language-specific approver emails.
- Suspension of Ready Issuance via SOAP API: The Ready Issuance capability, including the ability to accept/submit Ready Issuance orders, will be suspended.
- Deprecation of Approve and Push Order State operations via Modify Order API: We will deprecate these capabilities which respectively test the product life cycle via approving SSL/TLS certificates issued from our test hierarchy and test fail case scenarios throughout the product life cycle. In the future, these capabilities will be replaced by a new process.
- Suspension of ability to switch from DNS/file authentication to WHOIS authentication: The ability for partners to change the authentication Method for DV will be suspended, but is anticipated to be resumed by DigiCert in the future. In the meantime, this capability will continue to be supported via a manual process by a DigiCert agent.
- DNS Authentication Revocation will only support random string DNS authentication: We will suspend the capabilities to revoke SSL certificates via a random string DNS authentication method and cancel pending reissues. The suspended capabilities are anticipated to be resumed by DigiCert in the future.
- Replacement of the DV “Other” contact request for WHOIS authentication: The capability for a DV customer to request a new authorization contact by selecting “Other” as part of the order flow will change temporarily. The new option will send an approval email to all the email addresses found in the WHOIS record, including the order’s pre-determined email addresses. The Other option is anticipated to be resumed by DigiCert in the future.
- Non-receipt of Special Instructions: On a temporary basis, Special Instructions, submitted during an order by partners or customers, will not be sent to DigiCert. This capability is anticipated to be resumed by DigiCert in the future.
- Suspension of Validate Order Parameters (VOP) and associated responses: The VOP API will still be available but it’s not guaranteed that its successful response would lead to a successful order with DigiCert, as there may be extra validation steps by DigiCert. The VOP and associated responses will also temporarily not check nor return the domain’s Certificate Authority Authorization (CAA) status. These capabilities are anticipated to be resumed by DigiCert in the future.
|Availability of Capabilities||Web Portal||SOAP API||REST API||Production|
|Partners selling only - RapidSSL and RapidSSL Wildcards - WHOIS Auth (English), SHA2 Mixed Chain||X||X||N/A||
Target Date 20th Nov
|Partners selling only - all DV products, WHOIS Auth (English)||X||X||N/A||Target Date 21st Nov|
|Partners selling all products and capabilities launched earlier as well as EV, OV and DV products where any of the following DV Authentication Methods are listed below||Target Date 27th Nov|
|DV - DNS Auth: Non Shared Key (Random String)||N/A||X||N/A|
|DV - File Auth: Non Shared Key (Random String)||N/A||X||N/A|
|DV - WHOIS Auth (Non-English)||X||X||N/A|
|Partners selling all products and capabilities launched earlier and where DV SSL - DNS Auth - Token Request (Pre-Shared Key) is used.||N/A||X||X||Target Date 1st Dec|
|Partners selling all products and capabilities launched earlier and where DV SSL - File Auth - Token Request (Pre-Shared Key)||N/A||X||X|
For clarifications regarding any of these items, please contact our support team at https://go.symantec.com/contact