Partner Blog 09-20-2018

Rollin’ with the Changes

Tobias Zatti

We’ve come so far in the development of the CertCentral partner portal that it’s been in beta. And while we now must put all our available dev resources into its development, as a result, we must stop developing the legacy Website Security partner portals.

Now, don’t panic. That (^^^) doesn’t mean we’re going to ignore those battle-tested portals.

Quite to the contrary, we’re actively fixing bugs and making under-the-hood updates to support all the migrations and transitions we still need to accomplish.

And to prove that, here’s a laundry list of what we pushed live in today’s release:

  • Bug Fixes
    • We’ve hidden unimportant action-result combinations in our backend’s order history section, so if you ever feel like making tens of thousands of updates to an order (where we used to expect maybe up to ten instead), you can now do so without breaking the Internet – or our backend!
    • We resolved when orders don’t sync to one of our backends (again).
    • Some order states were not aligning correctly, so we fixed that.
    • We now rate-limit access to the Sync API. Note that we sync automatically every five minutes anyway, so there’s no real need for doing that on your side.
  • Important updates which (sigh) you probably won’t notice
    • We’ve updated the Privacy Policy in the partner portals.
    • We’ve upgraded to supporting OpenSSL 1.1.0i as necessary for Apache HTTPD 2.4.34.
  • Transition and migration stuff

And there’s one more change we didn’t make, but will on 27 September 2018. And this is going to require a meandering technical backstory, so stick with me:

  • A Google Chrome bug didn’t show the EV indicator when leaf certs chained to DigiCert Global G2 Root, so we decided to add the Symantec policy OID to the leaf certs to match the OID in VeriSign G5 Root. As a result, all full SHA256 EV certs issued after 31 January 2018 included three policy OIDs (the DigiCert OID 2.16.840.1.114412.2.1, the Symantec OID 2.16.840.1.113733., and the CA/Browser Forum OID
  • We were just so very pleased with ourselves and began celebrating with cake and fizzy drinks, but then came another Chrome bug in macOS, which didn’t show the EV indicator when the leaf certs included multiple policy OIDs.
  • We never got to enjoy the cake and drinks. But we did get to work quickly to get things sorted.
  • Because the first Chrome bug I mentioned above has already been fixed (we confirmed the latest Chrome release shows the EV indicator when there are two policy OIDs in the leaf certs), we decided to remove the Symantec OID on 27 September 2018 to restore EV compatibility in macOS. (There’s going to be other news which will overshadow that OID removal, but it was important for us to point it out regardless). This is all represented in our latest PKI hierarchy details.
  • How does this affect you? Let’s just say that if you have cake and fizzy drinks, you get to enjoy them, because there is no partner nor customer action required – with one anticipated exception: those who want to support the EV indicator on the macOS version of Chrome simply need to replace their existing full-chain SHA256 EV certificate(s). We offer certificate replacements at no charge to customers.

3 Surprising Uses of PKI in Big Companies and How to Ensure They Are all Secure

5 Min

Featured Stories


What is a CA’s Role in delivering digital trust?


The Entrust distrust: Key takeaways for CAs and organizations


How to Secure Quantum Computing in the Cloud