Knowledge Base

DigiCert’s TLS Root Strategy: Aligning with New Industry Standards

Solution ID : ALERT86

Last Modified : 04/08/2026

Over the next few years, the digital security industry is changing how publicly trusted root and intermediate certificates are managed and used. Operating system and browser root programs (Google Chrome, Apple, Mozilla, and Microsoft) will require certificate authorities (CAs), such as DigiCert, to move away from multi‑purpose root hierarchies to dedicated, single-purpose hierarchies to enhance security and digital trust.

To enhance digital trust, DigiCert will align our root strategy with the evolving industry standards for issuing public TLS/SSL.

These industry shifts specifically target the public WebPKI and do not affect the following:

X9 PKI for TLS:
These certificates operate independently of the standard WebPKI (browsers). They follow their own community-driven timelines for root updates.
Private, Government, and Other Root Stores:
Because these are managed by the users rather than by DigiCert's public root program, they are not impacted by these specific browser mandates.

Items covered in this article

Mozilla and Google Chrome G1 Root Removal
- Does the G1 root removal affect me?
Revocation of Intermediate (ICA) and Cross-Signed Certificates
- Does the ICA and cross-signed root certificates revocation affect me?
Transition to single-EKU Public TLS Certificates
- Does the transition to single-EKU certificates affect me?

Mozilla and Google Chrome G1 Root Removal

Deadline: April 15, 2026

On April 15, 2026, Mozilla and Google Chrome will remove DigiCert's G1 root certificates from their trust stores.

Background

To minimize the impact of the G1 root removal, DigiCert transitioned our default public TLS certificate issuance to our second-generation (G2) hierarches on March 8, 2023. See DigiCert root and intermediate CA certificate updates 2023.

However, some customers have devices that require updates before they can transition to the G2 root hierarchies. DigiCert may allow customers to continue issuing TLS certificates from our G1 root hierarchies on an exception basis. However, these certificates will not be trusted in Google Chrome or Mozilla Firefox starting April 15, 2026.

Does the G1 root removal affect me?

Most DigiCert customers have moved to our G2 root hierarchies, and no action is required. You are only affected if you meet these criteria:

You have active TLS certificates issued from a G1 root hierarchy.
Your certificates require trust in Google Chrome or Mozilla Firefox.

Required actions

If your TLS certificates expire,	Action required
After April 15, 2026	Reissue or renew your TLS certificates using the DigiCert G2 or G3 root hierarchy before the deadline to avoid "Untrusted" browser warnings.
Before April 15, 2026	No immediate action. Your next renewal will automatically move you to a supported G2 or G3 hierarchy. You can no longer renew certificates using a G1 root hierarchy.

Revocation of Intermediate (ICA) and Cross-Signed Certificates

Deadline: May 15, 2026

DigiCert will revoke several G2 and G3 intermediate CA (ICA) certificates and two G5 cross-signed root certificates on May 15, 2026.

Why is this happening?

The Google Chrome Root Program requires Certificate Authorities (CAs) to use dedicated TLS root hierarchies for issuing public TLS certificates. To transition our G2 and G3 TLS root hierarchies to single-purpose root hierarchies dedicated to issuing public RSA and ECC TLS certificates, DigiCert must revoke several G2 and G3 ICA certificates used to issue non-TLS certificates, such as S/MIME and Code Signing. Learn more about the transition from multipurpose G2 and G3 roots to dedicated TLS root hierarchies.

Additional revocations

DigiCert must also revoke a TLS ICA certificate and two cross-signed root certificates that do not contain any EKUs.[JK1] [CW2] [JK3] Google Chrome policy that requires CAs to include only the Server Authentication (serverAuth) and optionally, Client Authentication (clientAuth) EKUs in their ICA and cross-signed root certificates.

See which ICA and cross-signed root certificates are being revoked:

Does the ICA and cross-signed root certificates revocation affect me?

ICA certificate revocations: You are only affected by these revocations if you have active certificates issued by any of the G2 and G3 ICA certificates being revoked.
Cross-signed certificate revocations: You are only affected by these revocations if you have active certificates issued from the G5 TLS and Code Signing root hierarchies and installed either of the cross-signed roots being revoked in your certificate trust chains.

Required actions

If you have,	Action required
Certificates issued by the ICA certificates being revoked	Switch to new ICA certificates and reissue or renew your certificates as needed before the deadline to avoid the following post revocation problems: Can no longer tell if the certificate's private key was compromised, or if another security issue impacts it. Certificate software may fail to validate the certificate and consider the end-entity certificate untrusted.
Certificates that include the G5 cross-signed roots in their chain of trust	Replace this cross-signing certificate in your end-entity certificate chain of trust with an updated version before the deadline to ensure the alternative trust path for your certificates continues to provide the required trust.
Learn what you need to do to prepare for these revocations: What must I do to prepare for the revocation of the G2 and G3 ICA certificates? What must I do to prepare for the revocation of the G5 cross-signed root certificates?

Transition to Single-EKU Public TLS Certificates

Deadline: March 1, 2027

On March 1, 2027, DigiCert will remove the Client Authentication EKU from certificates chaining to the DigiCert Global G2 root, the DigiCert Global G3 root, the DigiCert TLS RSA4096 Root G5, and the DigiCert TLS P384 Root G5.

This change affects all DigiCert's public TLS certificates: DV, OV, EV, EU Qualified Website Authentication Certificate (QWAC), and EU QWAC PSD2, and all DigiCert brands: DigiCert®, GeoTrust®, Thawte®, RapidSSL®, and Encryption Everywhere®.

Why is this happening?

The Google Chrome Root Program requires CAs to stop including the Client Authentication extended key usage (EKU) in public TLS certificates.

Does the transition to single EKU certificates affect me?

Standard Website Owners: If you only use TLS certificates to secure websites (HTTPS), no action is required.
mTLS Users: If your organization uses public TLS certificates for Mutual TLS (mTLS) or server-to-server identity, you are impacted, and action is required.
DigiCert recommends that you stop using the clientAuth EKU in all public certificates.

DigiCert has excellent options available for our customers and partners who require the client authentication EKU beyond March 1, 2027.

If you require the clientAuth EKU in your TLS certificates	Description
X9 PKI for TLS certificate	Transition to DigiCert’s X9 PKI for TLS certificates to secure communications involving multiple organizations. X9 PKI for TLS certificates can have both Client Authentication and Server authentication EKUs. Learn more about X9 PKI for TLS.
Private Trust	Transition to Private PKI as a service for business needs that are strictly internal. Learn more about Private PKI as a service.
Existing DigiCert Roots	If you require non-browser ubiquity, you should use existing DigiCert root hierarchies to issue TLS certificates that include the clientAuth EKU. However, these certificates will not be trusted in Google Chrome or Mozilla Firefox.

choose your language