- Contact Us
-
choose your language
Knowledge Base
DigiCert: Expiring public root and intermediate CA certificates
This knowledge base article lists the public DigiCert Intermediate Certificate Authority (ICA) and Root certificates that expire in the next 42 months (3 ½ years). Use this page to track when the ICA and root certificates in your certificate chains expire.
We will periodically update the lists of certificates as we add more expiring certificates and remove expired certificates.
Move off any expiring ICA and root certificates as soon as possible to avoid service interruptions. When an ICA/root hierarchy expires, you can no longer issue TLS, code signing, and other digital certificates from that expired hierarchy.
Until you move to a new ICA/root hierarchy, you may be unable to renew expiring certificates, get needed new certificates, etc., potentially causing an array of service interruptions, such as an expired TLS certificate preventing customers from accessing your site.
Are you wondering why your certificate validity has been shortened? As the ICA/root certificate hierarchy approaches its expiration date, the certificates it issues begin to have a shortened validity. This happens because a certificate cannot expire after its issuing ICA certificate expires. For example, a public TLS certificate has a maximum validity of 397 days. But when your issuing ICA certificate expires in 396 days, it can only issue certificates with a maximum validity of 396 days. If your issuing ICA certificate expires in 299 days, it can only issue certificates with a maximum validity of 299 days. This pattern continues until your issuing ICA certificate expires. |
What to do if the ICA or root certificate you use is listed below
- Move to a different public root and intermediate CA certificate hierarchy.
Before the ICA or root certificate expires, you must move to a different public root and intermediate CA certificate hierarchy.
Please contact your account representative if you need help moving to a new CA certificate hierarchy.
- Do you pin ICA or root certificates or hard-code certificate trust?
Then, you must update your environment to ensure certificates issued from the new certificate hierarchy are trusted before moving to the new hierarchy (in other words, they can chain up to their trusted root certificate).
DigiCert recommends that you stop pinning and hard-coding root and ICA certificate acceptance. Stopping these practices makes moving to new ICA certificates or root certificate hierarchies easier.
Expiring DigiCert public CA certificates
The public intermediate CA (ICA), cross-signed root, and root certificates listed below expire in the next three years.
Items to note:
- When the root certificate expires, so do all intermediate CA (ICA) certificates chaining to it. You must move to a different root certificate hierarchy.
- When only the ICA certificate is expiring, you may be able to move to another ICA certificate issued from the same root.
- When the cross-signed root certificate expires, there may be another cross-signed root certificate you can use if one is still needed.
Expiring root certificates
| Common name | Serial number | Root expires on |
| Baltimore CyberTrust Root | 020000b9 | 12/May/2025 |
Expiring cross-signed root certificates
| Common name | Serial number | Issuer | Can issue | Expires on |
| DigiCert Trusted Root G4 | 026a53455cc70012fa23ce7a80f85e47 | DigiCert Global Root CA | Any | 22/Oct/2023 |
| DigiCert High Assurance EV Root CA | 03bad1d3f56cf1218e8def57dc4195bb | Baltimore CyberTrust Root | Any | 10/May/2025 |
| DigiCert Global Root CA | 0f5bc3a176cb789e2020c7893c8167b4 | Baltimore CyberTrust Root | Any | 10/May/2025 |
Expiring ICA certificates
Common name
Serial number
Issuer
Can issue
Expires on
QuoVadis Code Signing CA G1
1ce6507ec1d9c0b16178feee058cae7a0b142858
QuoVadis Root CA 2
Any, Code signing
30/May/2024
DigiCert Baltimore CA-2 G2
0182f8098ea2e626b91a3b27841fb9af
Baltimore CyberTrust Root
Any
10/May/2025
DigiCert Baltimore CA-1 G2
05da0deca735a1bc5c36d51ed5ead7ba
Baltimore CyberTrust Root
Any
10/May/2025
DigiCert Baltimore EV CA
09ccdc9f99344b52d37b305376d6c2c5
Baltimore CyberTrust Root
Any
10/May/2025
DigiCert Baltimore SMIME RSA SHA256 2020 CA1
0b2b0924040197da8493f6cbf00ad9d5
Baltimore CyberTrust Root
S/MIME
11/May/2025
DigiCert High Assurance Code Signing CA-1
02c4d1e58a4a680c568da3047e7e4d5f
DigiCert High Assurance EV Root CA
Code signing
10/Feb/2026
DigiCert Assured ID Code Signing CA-1
07f4736fafef408a1f6640f265d10ac1
DigiCert Assured ID Root CA
Code signing
10/Feb/2026
DigiCert High Assurance Code Signing CA-1
081c57ee5d70eb9ba0b1520c729c1b09
DigiCert High Assurance EV Root CA
Code signing
10/Feb/2026
DigiCert Assured ID Code Signing CA-1
0fa8490615d700a0be2176fdc5ec6dbd
DigiCert Assured ID Root CA
Code signing
10/Feb/2026
Cybertrust Japan Issuing CA-1
0c5b120dac42a1cb7b2089db176e0478
Verizon Global Root CA
Any
1/Sep/2026
DigiCert SHA-2 RADIUS CA
037953f3cd747e3ee71b73407f3e8555
DigiCert Global Root CA
Any
20/Sep/2026
DigiCert Grid Trust CA
0715561fe57f30be17898923c33a4450
DigiCert Assured ID Root CA
Any
7/Dec/2026
-
The most-trusted global provider of high-assurance TLS/SSL, PKI, IoT and signing solutions.
-
-
© 2022-2024, DigiCert, Inc. All rights reserved.
Cookie Settings
