URGENT
To increase our fifth-generation (G5) root ubiquity and provide more time to get them into the major browser and operating system trust stores, DigiCert has postponed updating our default public issuance of TLS/SSL certificate to new, public, fifth-generation (G5) root and intermediate CA (ICA) certificate hierarchy.
DigiCert will update this article as new information and rollout date become available. |
Brand | Validation type | Product |
DigiCert | OV |
|
DigiCert | EV |
|
GeoTrust | DV |
|
GeoTrust | OV |
|
GeoTrust | EV |
|
RapidSSL | DV |
|
Thawte | DV |
|
Thawte | OV |
|
Thawte | EV |
|
Encryption Everywhere | DV |
|
The industry will soon require Certificate Authorities (CAs) to stop issuing public TLS/SSL certificates from multipurpose1 roots and ICA certificates to reduce the scope of certificate issuance from any given certificate chain. This change mitigates the impact of changes in the industry and CA/Browser Forum guidelines for root, ICA, and end-entity certificates. For more information, see Mozilla's CA/Prioritization.
Each new single-purpose G5 root chains to a single-purpose ICA certificate. Each new single-purpose G5 ICA certificate will only issue a single type of end-entity certificate.
1Note: Multipurpose root and ICA certificates issue different types of certificates, such as TLS, code signing, and client. The new G5 root and ICA certificates restrict each type of certificate to its own dedicated hierarchy.
Root certificates
Root certificates are the anchor of public certificate trust. CAs work with operating systems, browsers, and other applications to get their root certificates included in trust stores to ensure that your public certificates are trusted.
CAs use public root certificates to issue Intermediate CA certificates. They don't use public root certificates to issue your public TLS certificates.
ICA certificates
CAs use ICA certificates to issue TLS and other digital certificates. The ICA certificate links your TLS certificate to the trusted root certificate, enabling browsers and other applications to trust it.
For more information about certificate chains and how they work, see How Certificate Chains Work.
New ICA certificates
Rolling out new ICA certificates typically doesn't require additional work as long as you always install the DigiCert-provided ICA certificate when installing your TLS certificate.
With new ICAs, no action is required unless you do any of the following:
If you do any of the above, we recommend updating your environment. Stop pinning or hard-coding ICA certificate acceptance or make the necessary changes to ensure certificates issued from the new ICA certificates are trusted (in other words, they can chain up to their ICA and trusted root certificates).
New root certificates
Rolling out new root certificates typically doesn't require additional work* unless you do any of the following:
If you do any of the above, we recommend updating your environment. Stop pinning or hard-coding root certificate acceptance and distribute DigiCert G5 roots to the local trust stores to ensure certificates that chain up to the new G5 root certificates are trusted.
Until our new G5 roots have the same ubiquity as the older DigiCert root certificates, we recommend installing the DigiCert-provided cross-signed root along with the intermediate CA certificate included with each TLS/SSL certificate issued from a G5 root certificate hierarchy.
Installing the cross-signed root certificate ensures your TLS certificate remains trusted even when its G5 root certificate is missing from a needed trust store.
See Install the DigiCert G5 cross-signed root CA certificate.
Rolling out new root and ICA certificates does not affect your existing certificates. We only remove old ICA and root certificates from certificate stores once all certificates issued from them have expired to ensure active certificates issued from the replaced root and ICA certificates continue to be trusted.
However, it does affect existing certificates if you reissue them after you switch to a new root and intermediate CA (ICA) certificate hierarchy. DigiCert will issue reissued and duplicate certificates from the new G5 root and ICA certificate hierarchies. When installing the reissued or duplicate certificate, make sure to include the new DigiCert-provided ICA. We also recommend installing the provided cross-signed root certificates.
Install the DigiCert provided ICA certificate
When installing a certificate, you should always include the DigiCert-provided ICA certificate. DigiCert has always recommended this best practice to ensure your certificate can link to its root certificate and be trusted.
Install the DigiCert provided cross-signed root certificate
New root certificate | Not valid after | Serial number | Test URL |
DigiCert TLS ECC P384 Root G5 | January 14, 2046, at 23:59:59 UTC | 09:E0:93:65:AC:F7:D9:C8:B9:3E:1C:0B:04:2A:2E:F3 | Test URL |
DigiCert TLS RSA4096 Root G5 | January 14, 2046, at 23:59:59 UTC | 08:F9:B4:78:A8:FA:7E:DA:6A:33:37:89:DE:7C:CF:8A | Test URL |
New Intermediate CA certificate | Issuing root CA certificate |
DigiCert G5 TLS ECC SHA384 2021 CA1 | DigiCert TLS ECC P384 Root G5 |
DigiCert G5 TLS RSA4096 SHA384 2021 CA1 | DigiCert TLS RSA4096 Root G5 |
GeoTrust G5 TLS ECC P-384 SHA384 2022 CA1 | DigiCert TLS ECC P384 Root G5 |
GeoTrust G5 TLS RSA4096 SHA384 2022 CA1 | DigiCert TLS RSA4096 Root G5 |
Thawte G5 TLS ECC P-384 SHA384 2022 CA1 | DigiCert TLS ECC P384 Root G5 |
Thawte G5 TLS RSA4096 SHA384 2022 CA1 | DigiCert TLS RSA4096 Root G5 |
RapidSSL G5 TLS ECC P-384 SHA384 2022 CA1 | DigiCert TLS ECC P384 Root G5 |
RapidSSL G5 TLS RSA4096 SHA384 2022 CA1 | DigiCert TLS RSA4096 Root G5 |