UPDATE: Product / Service Changes

* Updates as of 20 December 2017

This microsite describes ongoing updates to the products and services available via our Indirect Partner Channel for SSL/TLS products, beginning 6 November 2017. Because some of these changes might affect your operations or your customers, we ask you to please read this site and take action on items pertaining to your usage.

Overview of changes:

Current Value / Behavior New Value / Behavior
PKI Hierarchy / intermediate CAs Existing hierarchy / intermediates New hierarchy + intermediates
Maximum SAN fields 100 250
Certificate Transparency (CT) Redaction supported Optionally not log redacted SSL certificates
Algorithm Agility Support for RSA, DSA and ECC Support for RSA and ECC
MPKI for SSL GetAlternative option Supported Discontinued
Changing the DV approver email address Supported Suspended
Partner-customized emails (specifically for domain approvals and revocation requests) for WHOIS authentication Supported Discontinued, but replaced by language-specific approver emails
Ready Issuance via SOAP API Supported Suspended
Approve and Push Order State operations via Modify Order API Supported Deprecated, but will be replaced by a new process
Switching from DNS/file authentication to WHOIS authentication Supported Suspended, but with manual mitigation available; anticipated to be resumed in the future
DNS Authentication Revocation Support for revocation via a random string DNS authentication method Suspended, but anticipated to be resumed in the future
DV “Other” contact request for WHOIS authentication DV customer can request a new authorization contact by selecting “Other” as part of the order flow Temporary option to send approval email to all emails in the WHOIS record, including the order’s pre-determined email addresses. Other option is anticipated to be resumed in the future
Special Instructions Supported Temporarily will not be sent to DigiCert; anticipated to be resumed in the future
Validate Order Parameters (VOP) and associated responses Supported Available but may require extra validation steps by DigiCert, and will not check/return CAA

Implementation of new Web PKI Hierarchy
We updated our Web PKI hierarchy to modernize and streamline our Public SSL/TLS certificate offerings, and align with changes requested by the browser community. We are issuing all new Public SSL/TLS certificates from new intermediate CAs as of December 1, 2017.

These changes apply to all Domain Validation (DV), Organization Validation (OV) and Extended Validation (EV) SSL/TLS certificates across all of our Website Security brands (GeoTrust, RapidSSL, Symantec, and Thawte) plus white-labeled DV certificates.

Please refer to these webinars:

Please refer to these knowledgebase articles:

Increasing SAN fields maximum to 250
We have expanded the number of available SAN fields in many SSL/TLS certificate products to a maximum of 250 SANs per certificate. This increase applies to EV and OV SSL/TLS certificates across the GeoTrust, Symantec and Thawte brands. This capability enables customers with a large number of domains but limited number of IP addresses to secure their portfolio with fewer SSL certificates.

Changes to Certificate Transparency (CT)
We intend to update the way that we handle Certificate Transparency (CT). We will continue to support CT, but we remain strong proponents of protecting the privacy of customers’ network topology. While we work with the browser community to come to agreement on the details of those protections, we may choose to stop support for redaction and instead offer the option to not log redacted SSL certificates on our CT redacted log server. The obvious consequence of a customer choosing not to log such certificates would be automatic distrust by the Chrome browser, but would include the uniform inability for any person or entity to monitor those certificates on any CT server.

Discontinuation of SSL/TLS certificates using the DSA algorithm
We no longer offer new DSA certificates, nor do we renew or replace existing DSA certificates. Validity of existing DSA certificates will continue until their expiration dates.

Discontinuation of GetAlternative option in Managed PKI for SSL
This option will be discontinued and removed from Managed PKI for SSL.

Changes related to CA Partner operations
In order to meet the requirements of the browser community and prevent browser warnings, our backend authentication processes are handled via DigiCert authentication.

  • Pre-authentication for Managed PKI for SSL customers: In order to maintain complete continuity in service, Managed PKI for SSL customers have received communication asking that they pre-authenticate in advance of transition of the authentication process. They have heard from Managed PKI for SSL representatives to assist them through this process. After completing pre-authentication, they have been enabled to continue using their current tools as beforehand while benefiting from instant issuance from the new intermediate CAs based on the data pre-authenticated by DigiCert, thereby preventing issuance delays.

  • Product/service changes related to CA Partner operations: As a result of this transition of authentication functions, these specific changes within the partner portal or APIs will be affected:

    • Suspension of ability to change the approver email address for DV orders: This API and Partner Portal capability will be suspended, but is anticipated to be resumed by DigiCert in the future.
    • Disabling of partner-customized emails (specifically for domain approvals and revocation requests) where the authentication method is WHOIS: These emails will instead be sent from DigiCert, with the ability to send language-specific approver emails.
    • Suspension of Ready Issuance via SOAP API: The Ready Issuance capability, including the ability to accept/submit Ready Issuance orders, will be suspended.
    • Deprecation of Approve and Push Order State operations via Modify Order API: We will deprecate these capabilities which respectively test the product life cycle via approving SSL/TLS certificates issued from our test hierarchy and test fail case scenarios throughout the product life cycle. In the future, these capabilities will be replaced by a new process.
    • Suspension of ability to switch from DNS/file authentication to WHOIS authentication: The ability for partners to change the authentication Method for DV will be suspended, but is anticipated to be resumed by DigiCert in the future. In the meantime, this capability will continue to be supported via a manual process by a DigiCert agent.
    • DNS Authentication Revocation will only support random string DNS authentication: We will suspend the capabilities to revoke SSL certificates via a random string DNS authentication method and cancel pending reissues. The suspended capabilities are anticipated to be resumed by DigiCert in the future.
    • Replacement of the DV “Other” contact request for WHOIS authentication: The capability for a DV customer to request a new authorization contact by selecting “Other” as part of the order flow will change temporarily. The new option will send an approval email to all the email addresses found in the WHOIS record, including the order’s pre-determined email addresses. The Other option is anticipated to be resumed by DigiCert in the future.
    • Non-receipt of Special Instructions: On a temporary basis, Special Instructions, submitted during an order by partners or customers, will not be sent to DigiCert. This capability is anticipated to be resumed by DigiCert in the future.
    • Suspension of Validate Order Parameters (VOP) and associated responses: The VOP API will still be available but it’s not guaranteed that its successful response would lead to a successful order with DigiCert, as there may be extra validation steps by DigiCert. The VOP and associated responses will also temporarily not check nor return the domain’s Certificate Authority Authorization (CAA) status. These capabilities are anticipated to be resumed by DigiCert in the future.
Availability of Capabilities Web Portal SOAP API REST API Production
Partners selling only - RapidSSL and RapidSSL Wildcards - WHOIS Auth (English), SHA2 Mixed Chain X X N/A

Target Date 20th Nov

Partners selling only - all DV products, WHOIS Auth (English) X X N/A Target Date 21st Nov
Partners selling all products and capabilities launched earlier as well as EV, OV and DV products where any of the following DV Authentication Methods are listed below Target Date 27th Nov
DV - DNS Auth: Non Shared Key (Random String) N/A X N/A
DV - File Auth: Non Shared Key (Random String) N/A X N/A
DV - WHOIS Auth (Non-English) X X N/A
OV SSL X X N/A
EV SSL X X N/A
Partners selling all products and capabilities launched earlier and where DV SSL - DNS Auth - Token Request (Pre-Shared Key) is used. N/A X X Target Date 1st Dec
Partners selling all products and capabilities launched earlier and where DV SSL - File Auth - Token Request (Pre-Shared Key) N/A X X

For clarifications regarding any of these items, please contact our support team at https://go.symantec.com/contact

We have updated our Privacy Policy.