As part of the evolution of the services of cybersecurity and with the objective of improving global availability, DigiCert announced a change in the validation infrastructure of digital certificates . As of May 26, 2026 at 17:00 UTC , the endpoints of OCSP (Online Certificate Status Protocol) and CRL (Certificate Revocation List) of DigiCert® ONE will begin to operate through a content distribution network (CDN).
This update means that the domains used for the digital certificate validation (ocsp.one.digicert.com, crl.one.digicert.com and cacerts.one.digicert.com) will no longer be associated with a single fixed IP address, instead resolving through multiple dynamic IP addresses. This approach is increasingly common in modern cybersecurity environments, as it improves the resilience and performance of services.
For most organizations, this change will be transparent. However, those using security configurations based on IP allowlists will need to update their rules in firewalls, proxies, or security groups to allow access to the CDN provider's new dynamic IPs.
Failure to perform this update could generate failures in OCSP and CRL , affecting the verification and validation of digital certificates in applications, critical services or web browsers, which can result in trust errors or operational interruptions.
Likewise, organizations that work with custom hostnames (CNAME) linked to these endpoints will need to review their configurations, as they may require additional adjustments to ensure proper integration with the CDN.
To consult the complete list of IP addresses, it is recommended to review the page "Platform IP Addresses and URLs" of DigiCert.
We recommend that infrastructure and cybersecurity anticipate this change and validate their configurations to ensure the continuity of processes that depend on digital certificates.
For more information about this change or assistance in adapting your environments, the CertiSur team is available at soporte@certisur.com to accompany their clients.