The Google Chrome Root Program requires Certificate Authorities (CAs) to use dedicated TLS root hierarchies for issuing public TLS certificates. To enhance digital trust and comply with the evolving requirements of browser root programs, DigiCert is transitioning to single-purpose root hierarchies dedicated to issuing public TLS end-entity certificates.
To see the products and intermediate CA (ICA) certificates affected by this change, see Intermediate CA certificate along with their end-entity certificates to be revoked on May 15, 2026, below.
Today, DigiCert uses our DigiCert Global Root G2 and DigiCert Global Root G3 hierarchies to issue TLS, code signing, and S/MIME certificates. To transition our G2 and G3 multipurpose PKI hierarchies to dedicated TLS root hierarchies, DigiCert must do the following:
Currently, all certificates issued from the G2 S/MIME ICA, G3 Code Signing ICAs, and the G2 TLS ICA (without the server authentication EKU) can be issued with a validity that extends beyond the May 15, 2026, revocation date.
Starting July 23, 2025, DigiCert will automatically truncate the validity of certificates issued by these intermediate CAs, which are set to be revoked on May 15, 2026. See the “to be revoked” ICA certificates listed in the table below. All newly issued certificates, including new, renewal, reissue, and duplicate certificates, will be set to expire no later than May 14, 2026, at 23:59:59 UTC.
What if I don't want certificates with a truncated validity?
To get certificates that expire after May 14, 2026, use the replacement/new intermediate certificate to issue your certificates. See the new ICA certificates listed in the table below.
On May 15, 2026, DigiCert will revoke the intermediate CA (ICA) certificates listed in the table below, along with all associated end-entity certificates. This revocation is required to transition the DigiCert Global Root G2 and DigiCert Global Root G3 hierarchies into dedicated TLS-only hierarchies.
What do I need to do?
Before May 15, 2026, reissue affected certificates:
Resign Java files before code signing certificates are revoked Java determines the trustworthiness of code-signing signatures based on the certificate's status, not its revocation date. Therefore, all Java signatures become invalid when a code-signing certificate is revoked, regardless of when the revocation occurs. |
Root CA | Product | Current Intermediate CA that will be revoked on May 15, 2026 | New Intermediate CA |
DigiCert Global Root G2 | Public TLS | DigiCert Global CA G2 | DigiCert Global G2 TLS RSA SHA256 2020 CA1 |
Public S/MIME | DigiCert G2 SMIME RSA4096 SHA384 2024 CA1 | DigiCert Assured ID SMIME RSA2048 SHA256 2021 CA1 | |
DigiCert Global Root G3 | Public Code Signing | DigiCert Global G3 Code Signing ECC SHA384 2021 CA1 | DigiCert G5 CS ECC SHA384 2021 CA1 |
Public Code Signing | DigiCert Global G3 Code Signing ECC P256 SHA384 2021 CA1 | DigiCert G5 CS ECC SHA384 2021 CA1 | |
Public Code Signing | DigiCert Global G3 Code Signing Europe ECC P-384 SHA384 2023 CA1 | DigiCert G5 Code Signing Europe ECC P-384 SHA384 2023 CA1 |
To learn more about what DigiCert is doing to adhere to Google Chrome’s root program requirements, see Sunsetting the client authentication EKU from DigiCert public TLS certificates.
If you have questions or concerns, please contact your account manager or DigiCert Support.