Knowledge Base

The Google Chrome Root Program requires Certificate Authorities (CAs) to use dedicated TLS root hierarchies for issuing public TLS certificates. To enhance digital trust and comply with the evolving requirements of browser root programs, DigiCert is transitioning to single-purpose root hierarchies dedicated to issuing public TLS end-entity certificates.

To see the products and intermediate CA (ICA) certificates affected by this change, see Intermediate CA certificate along with their end-entity certificates to be revoked on May 15, 2026, below.

Items covered in this article

• What is changing
• Transition to dedicated TLS root hierarchies’ timeline
  • July 23, 2025: Truncate end-entity certificate validity
  • May 15, 2026: Revoke intermediate CA certificates along with all associated end-entity certificates

• Intermediate CA certificate along with their end-entity certificates to be revoked on May 15, 2026
• Additional resources
• Need help?
   

What is changing

Today, DigiCert uses our DigiCert Global Root G2 and DigiCert Global Root G3 hierarchies to issue TLS, code signing, and S/MIME certificates. To transition our G2 and G3 multipurpose PKI hierarchies to dedicated TLS root hierarchies, DigiCert must do the following:

• Revoke the G2 S/MIME and G3 Code Signing ICA certificates and their associated end-entity certificates.
• Revoke one G2 TLS ICA certificate along with its associated TLS certificates. This ICA certificate does not contain the Google Chrome required server authentication extended key usage (EKU).
   

Transition to dedicated TLS root hierarchies’ timeline

• July 23, 2025: Truncate certificate validity
• May 15, 2026: Revoke certificates

July 23, 2025: Truncate end-entity certificate validity

Currently, all certificates issued from the G2 S/MIME ICA, G3 Code Signing ICAs, and the G2 TLS ICA (without the server authentication EKU) can be issued with a validity that extends beyond the May 15, 2026, revocation date.

Starting July 23, 2025, DigiCert will automatically truncate the validity of certificates issued by these intermediate CAs, which are set to be revoked on May 15, 2026. See the “to be revoked” ICA certificates listed in the table below. All newly issued certificates, including new, renewal, reissue, and duplicate certificates, will be set to expire no later than May 14, 2026, at 23:59:59 UTC.

What if I don't want certificates with a truncated validity?

To get certificates that expire after May 14, 2026, use the replacement/new intermediate certificate to issue your certificates. See the new ICA certificates listed in the table below.

May 15, 2026: Revoke intermediate CA certificates along with all associated end-entity certificates

On May 15, 2026, DigiCert will revoke the intermediate CA (ICA) certificates listed in the table below, along with all associated end-entity certificates. This revocation is required to transition the DigiCert Global Root G2 and DigiCert Global Root G3 hierarchies into dedicated TLS-only hierarchies.

What do I need to do?

Before May 15, 2026, reissue affected certificates:

• TLS and S/MIME certificates
  • Reissue your affected certificates with their replacement/new intermediate certificate.
  • Install the reissued certificate.
• Code Signing certificates
  • Make sure you've timestamped your signatures. Timestamped signatures remain trusted after the code signing certificate is revoked.
  • Resign non-timestamped files and other file types as needed before the code signing certificate is revoked.
    

    Resign Java files before code signing certificates are revoked Java determines the trustworthiness of code-signing signatures based on the certificate's status, not its revocation date. Therefore, all Java signatures become invalid when a code-signing certificate is revoked, regardless of when the revocation occurs.

  • Reissue your affected certificates with their replacement/new intermediate certificate.
     

Intermediate CA certificates along with their end-entity certificates to be revoked on May 15, 2026

Additional resources

To learn more about what DigiCert is doing to adhere to Google Chrome’s root program requirements, see Sunsetting the client authentication EKU from DigiCert public TLS certificates.

Need help?

If you have questions or concerns, please contact your account manager or DigiCert Support.