Why am I receiving a warning about my high assurance Digicert SSL certificate having outdated intermediate certificates?

Did you receive a warning message from DigitCert indicating that your high assurance DigiCert SSL was using outdated intermediate certificates? The message would say something like  "Your server is not sending the right intermediate certificates." -- 

        This is a partially true, but also can be effectively ignored. The intermediate certificates they are referring to will not work with old web browsers. Specifically --  DigiCertHighAssuranceEVRootCA is not compatible with older browsers.

        DigiCert SSL certificates expiring after January 2011 are issued from a 2048 bit certificate path. The Root Certificate in this path is titled "DigiCert High Assurance EV Root CA" and is already trusted by all modern browsers (Internet Explorer, Firefox, Safari, Opera, Chrome, etc.)

         To maintain widespread compatibility with older browsers and some mobile devices, DigiCert provides a Cross-Signed Intermediate Certificate which enables legacy devices to follow the intermediate certificate chain to the "Entrust.net Secure Server Certification Authority" Root Certificate. This Cross-Signed certificate appears in your Intermediate Certification Authorities certificates store in Windows. Its Subject is "DigiCert High Assurance EV Root CA" and its Issuer is "Entrust.net Secure Server Certification Authority".

-- Source 1: http://www.emaildiscussions.com/showpost.php?s=972f682c624daa34ba9109da2adad4bf&p=526902&postcount=8

-- Source 2: http://www.digicert.com/ssl-support/certificate-not-trusted-error.htm


Summary: At Cloudflare we have setup the appropriate Cross-Signed Intermediate Certificate as referenced by DigiCert. This ensures that visitors to your site will continue to have the appropriate SSL experience, but this also maintains widespread support for legacy browsers. This is the best of both worlds -- your SSL works properly, and it's available to the largest number of visitors to your site (and the browsers they use).


Not finding what you need?

95% of questions can be answered using the search tool. This is the quickest way to get a response.

Powered by Zendesk