Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
382
Views
1
Helpful
0
Comments

IP Address Changes for DigiCert CRL and OCSP Domains

adamwin
Cisco Employee
Cisco Employee

‎01-27-2025 07:13 PM - edited ‎01-27-2025 09:12 PM

Some Secure Access downloadable components such as Secure Client and the DNS Forward (virtual appliance) utilize DigiCert certificates for TLS encryption. These software components also contact various DigiCert domains for certificate revocation check (CRL) and certificate status (OCSP). 

These services are contacted via domains such as crl3.digicert.com, crl4.digicert.com, and ocsp.digicert.com

Previously these domains resolved to a small set of IPs that were included in our documentation for customers that used IP-based firewall rules: 72.21.91.29, 93.184.220.29, 117.18.237.29, 152.195.38.76, 192.16.49.85, 192.16.58.8, 192.229.211.108, and 192.229.221.95

DigiCert has recently moved to a CDN and the list of IPs has changed. The full list is available from DigiCert directly: https://knowledge.digicert.com/alerts/digicert-certificate-status-ip-address#certificate-status-ipv4

Customers using IP address based firewall rules should take note of the new list. 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents