DigiCert KnowledgeBase - Technical Support-hero

Knowledge Base

DigiCert transitioning its multipurpose PKI hierarchies to dedicated TLS root hierarchies

Solution ID : ALERT60
Last Modified : 07/30/2025

The Google Chrome Root Program requires Certificate Authorities (CAs) to use dedicated TLS root hierarchies for issuing public TLS certificates. To enhance digital trust and comply with the evolving requirements of browser root programs, DigiCert is transitioning to single-purpose root hierarchies dedicated to issuing public TLS end-entity certificates.

To see the products and intermediate CA (ICA) certificates affected by this change, see Intermediate CA certificate along with their end-entity certificates to be revoked on May 15, 2026, below.

Items covered in this article

What is changing

Today, DigiCert uses our DigiCert Global Root G2 and DigiCert Global Root G3 hierarchies to issue TLS, code signing, and S/MIME certificates. To transition our G2 and G3 multipurpose PKI hierarchies to dedicated TLS root hierarchies, DigiCert must do the following:

  • Revoke the G2 S/MIME and G3 Code Signing ICA certificates and their associated end-entity certificates.
  • Revoke one G2 TLS ICA certificate along with its associated TLS certificates. This ICA certificate does not contain the Google Chrome required server authentication extended key usage (EKU).
     

Transition to dedicated TLS root hierarchies’ timeline

  • July 23, 2025: Truncate certificate validity
  • May 15, 2026: Revoke certificates

July 23, 2025: Truncate end-entity certificate validity

Currently, all certificates issued from the G2 S/MIME ICA, G3 Code Signing ICAs, and the G2 TLS ICA (without the server authentication EKU) can be issued with a validity that extends beyond the May 15, 2026, revocation date.

Starting July 23, 2025, DigiCert will automatically truncate the validity of certificates issued by these intermediate CAs, which are set to be revoked on May 15, 2026. See the “to be revoked” ICA certificates listed in the table below. All newly issued certificates, including new, renewal, reissue, and duplicate certificates, will be set to expire no later than May 14, 2026, at 23:59:59 UTC.

What if I don't want certificates with a truncated validity?

To get certificates that expire after May 14, 2026, use the replacement/new intermediate certificate to issue your certificates. See the new ICA certificates listed in the table below.

May 15, 2026: Revoke intermediate CA certificates along with all associated end-entity certificates

On May 15, 2026, DigiCert will revoke the intermediate CA (ICA) certificates listed in the table below, along with all associated end-entity certificates. This revocation is required to transition the DigiCert Global Root G2 and DigiCert Global Root G3 hierarchies into dedicated TLS-only hierarchies.

What do I need to do?

Before May 15, 2026, reissue affected certificates:

  • TLS and S/MIME certificates
    • Reissue your affected certificates with their replacement/new intermediate certificate.
    • Install the reissued certificate.
  • Code Signing certificates
    • Make sure you've timestamped your signatures. Timestamped signatures remain trusted after the code signing certificate is revoked.
    • Resign non-timestamped files and other file types as needed before the code signing certificate is revoked.

      Resign Java files before code signing certificates are revoked

      Java determines the trustworthiness of code-signing signatures based on the certificate's status, not its revocation date. Therefore, all Java signatures become invalid when a code-signing certificate is revoked, regardless of when the revocation occurs.

    • Reissue your affected certificates with their replacement/new intermediate certificate.
       

Intermediate CA certificates along with their end-entity certificates to be revoked on May 15, 2026

Root CA Product Current Intermediate CA that will be revoked on May 15, 2026 New Intermediate CA
DigiCert Global Root G2  Public TLS DigiCert Global CA G2  DigiCert Global G2 TLS RSA SHA256 2020 CA1
Public S/MIME DigiCert G2 SMIME RSA4096 SHA384 2024 CA1 DigiCert Assured ID SMIME RSA2048 SHA256 2021 CA1
DigiCert Global Root G3  Public Code Signing DigiCert Global G3 Code Signing ECC SHA384 2021 CA1  DigiCert G5 CS ECC SHA384 2021 CA1
Public Code Signing DigiCert Global G3 Code Signing ECC P256 SHA384 2021 CA1 DigiCert G5 CS ECC SHA384 2021 CA1
Public Code Signing DigiCert Global G3 Code Signing Europe ECC P-384 SHA384 2023 CA1 DigiCert G5 Code Signing Europe ECC P-384 SHA384 2023 CA1


Additional resources

To learn more about what DigiCert is doing to adhere to Google Chrome’s root program requirements, see Sunsetting the client authentication EKU from DigiCert public TLS certificates.

Need help?

If you have questions or concerns, please contact your account manager or DigiCert Support.