DigiCert KnowledgeBase - Technical Support-hero

Knowledge Base

New TLS/SSL Intermediate CA Certificates 2025

Solution ID : INFO152
Last Modified : 04/22/2025

Description

Important: This is a dynamic article. We will update it when new information becomes available. Save this page and check back periodically for the latest information. 


On July 15, 2025, at 10:00 MDT (16:00 UTC), DigiCert will make the following changes to our public TLS/SSL certificate issuance process to align with changes in the Google Chrome Root Program:

  • Issue public TLS/SSL certificates with only the Server Authentication extended key usage (EKU) by default.
  • Temporarily, provide an option to issue public TLS/SSL certificates with both the Server Authentication and Client Authentication EKUs. DigiCert will remove this option from TLS certificate enrollment in June 2026.
  • Issue public TLS/SSL certificates from new industry-compliant intermediate CA (ICA) certificates.


Why is DigiCert issuing public TLS certificates with only the Server Authentication EKU from new ICA certificates?

Currently, when DigiCert issues our public TLS, client authentication, code signing, and document signing certificates, they all chain up to the same public Root CAs, such as DigiCert Global Root G2. These are referred to as multipurpose hierarchies.

By default, we also include the Server and Client Authentication EKUs in our public TLS certificates.

On June 15, 2026, Google Chrome will only trust public TLS certificates with the Server Authentication EKU issued from the dedicated TLS server authentication hierarchies, as stated in section 3.2.2 PKI Hierarchies included in the Chrome Root Store in the Chrome Root Program Policy, Version 1.6.

As a result of the Chrome Root Program Policy changes, Google Chrome will distrust any public TLS certificate issued from multipurpose hierarchies, along with TLS certificates with the Server Authentication and Client Authentication EKUs starting June 15, 2026.


Timeline of events with Chrome policy and DigiCert plan

Change Timeline Chrome policy DigiCert plan
Extended Key Usage (EKU) Before June 15, 2026 Both Server and Client Authentications EKUs can be included in TLS certificates.

July 15, 2025:

  • Start issuing TLS certificates with only the Server Authentication EKU by default.
  • Temporarily, provide an option to include both EKUs during enrollment.
After June 15, 2026 Only Server Authentication can be included in TLS certificates.

June 2026:

Remove the option to include both EKUs during enrollment and only issue TLS certificates with the Server Authentication EKU.
Root CA hierarchies Before June 15, 2026 TLS certificates may be issued from multipurpose root hierarchies.

July 15, 2025:

DigiCert will convert DigiCert Global Root G2 and Global Root G3 to dedicated TLS hierarchies.
After June 15, 2026 TLS certificates must be issued from dedicated TLS root hierarchies.


How does removing the Client Authentication EKU affect me?

No action is required if you don’t use the Client Authentication EKU in your TLS certificate process. Removing this EKU from your TLS certificates does not affect you.

What if I use the Client Authentication EKU in my TLS certificate process?

Starting July 15, 2025, DigiCert will issue TLS certificates with only the Server Authentication EKU by default. However, DigiCert will provide an option to include both EKUs in your TLS certificate during enrollment until June 2026.


How does switching ICA certificates affect me?

Switching to a different ICA certificate doesn't require more work as long as you always install the DigiCert-provided ICA certificate when installing your TLS certificate. For more information about certificate chains and how they work, see How Certificate Chains Work.

If you do any of the following things, action is required:

  • Pin ICA certificates
  • Hard-code the acceptance of ICA certificates
  • Operate a trust store

If you do any of the above, we recommend updating your environment before July 15, 2025. Stop pinning or hard-coding ICA certificate acceptance, or make the necessary changes to your environment to ensure certificates issued from the new ICA certificate are trusted (in other words, they can chain up to their trusted G2 or G3 root certificate). 


How does removing the Client Authentication EKU and switching ICA certificates affect my existing certificates?

Switching to a new ICA certificate does not affect your existing certificates' trust. Valid TLS/SSL certificates issued with the Client Authentication and Server Authentication EKUs and/or from multipurpose ICA certificates will remain trusted until they expire.

What about reissues, duplicates, and renewals?

Starting July 15, 2025, DigiCert will issue new, renewed, reissued, and duplicate TLS certificates with only the Server Authentication EKU from new ICA certificates. When installing your TLS certificates, always include the DigiCert-provided ICA certificate.

If you need public TLS certificates with both the Server Authentication and Client Authentication EKUs, make sure to include both EKUs in your certificate during the enrollment.


What if I need more time to update my TLS certificate process?

If you need more time to prepare, contact DigiCert Support. We will set up your account so you can continue using the multipurpose ICA certificate you are using now until you can switch to the new ICA certificate.


Affected DigiCert brands

Brand Validation type Product
DigiCert

 

 OV
  • Basic OV
  • Secure Site OV
  • Secure Site Pro SSL
  • Cloud
  • Standard SSL
  • Multi-Domain SSL
  • Wildcard
  • Secure Site SSL
  • Secure Site Multi-Domain SSL
  • Secure Site Wildcard SSL
EV
  • Basic EV
  • Secure Site EV
  • Secure Site Pro EV SSL
  • Extended Validation SSL
  • EV Multi-Domain SSL
  • Secure Site EV SSL
  • Secure Site EV Multi-Domain SSL
GeoTrust DV
  • GeoTrust DV SSL
  • GeoTrust Cloud DV
  • GeoTrust Standard DV
  • GeoTrust Wildcard DV
OV
  • GeoTrust TrueBusiness ID OV
EV
  • GeoTrust TrueBusiness ID EV
Thawte DV
  • Thawte SSL 123 DV
OV
  • Thawte SSL Webserver OV
EV
  • Thawte SSL Webserver EV
RapidSSL DV
  • RapidSSL Standard DV
  • RapidSSL Wildcard DV
Encryption Everywhere DV
  • Encryption Everywhere DV


July 15, 2025, ICA certificate replacement

Important
When the new ICA certificates are live, we will update the ICA certificate replacement tables below and add download PEM and download DER/CRT links. Then, if you want to start issuing certificates from a new ICA certificate before July 15, 2025, contact your account manager or DigiCert Support.


ICA certificate replacements:


DigiCert brand ICA certificate replacements

CertCentral Instance Signature algorithm Current multipurpose ICA certificate New ICA certificate
CertCentral Global RSA
  • DigiCert Global G2 TLS RSA SHA256 2020 CA1
  • DigiCert EV RSA CA G2
 DigiCert Global G2 TLS RSA4096 SHA256 2025 CA1
CertCentral Global ECC DigiCert Global G3 TLS ECC SHA384 2020 CA1 DigiCert Global G3 TLS ECC P-384 SHA384 2025 CA1
CertCentral Europe RSA DigiCert G2 TLS EU RSA4096 SHA384 2022 CA1 DigiCert Global G2 TLS Europe RSA4096 SHA256 2025 CA1
CertCentral Europe ECC DigiCert G3 TLS EU ECC P-384 SHA384 2022 CA1 DigiCert Global G3 TLS Europe ECC P-384 SHA384 2025 CA1


GeoTrust brand ICA certificate replacements

CertCentral Instance Signature algorithm Current multipurpose ICA certificate New ICA certificate
CertCentral Global RSA
  • GeoTrust TSL RSA CA G1
  • GeoTrust EV RSA CA G2
 GeoTrust Global G2 TLS RSA4096 SHA256 2025 CA1
CertCentral Global ECC GeoTrust TLS ECC CA G1 GeoTrust Global G3 TLS ECC P-384 SHA384 2025 CA1
CertCentral Europe RSA GeoTrust Global G2 TLS EUR RSA4096 SHA384 2023 CA1 GeoTrust Global G2 TLS Europe RSA4096 SHA256 2025 CA1
CertCentral Europe ECC GeoTrust Global G3 TLS EUR ECC P384 SHA384 2023 CA1 GeoTrust Global G3 TLS Europe ECC P-384 SHA384 2025 CA1


Thawte brand ICA certificate replacements

CertCentral Instance Signature algorithm Current multipurpose ICA certificate New ICA certificate
CertCentral Global RSA
  • Thawte TLS RSA CA G1
  • Thawte EV RSA CA G2
 Thawte Global G2 TLS RSA4096 SHA256 2025 CA1
CertCentral Global ECC Thawte TLS ECC CA G1 Thawte Global G3 TLS ECC P-384 SHA384 2025 CA1


RapidSSL brand ICA certificate replacements

CertCentral Instance Signature algorithm Current multipurpose ICA certificate New ICA certificate
CertCentral Global RSA RapidSSL TLS RSA CA G1 RapidSSL Global G2 TLS RSA4096 SHA256 2025 CA1
CertCentral Global ECC RapidSSL TLS ECC CA G1 RapidSSL Global G3 TLS ECC P-384 SHA384 2025 CA1


Encryption Everywhere brand ICA certificate replacements

CertCentral Instance Signature algorithm Current multipurpose ICA certificate New ICA certificate
CertCentral Global RSA Encryption Everywhere DV TLS CA - G2 Encryption Everywhere G3 TLS ECC P-384 SHA384 2025 CA1
CertCentral Global ECC Encryption Everywhere G3 TLS ECC P384 SHA384 2023 CA1 Encryption Everywhere Global G2 TLS RSA4096 SHA256 2025 CA1

  • DigiCert Logo

    The most-trusted global provider of high-assurance TLS/SSL, PKI, IoT and signing solutions.