Ask a Question

Advanced Search

Alert ID : GN080722155248

Last Modified : 09/19/2022

DigiCert G5 Root and Intermediate CA Certificate Update

URGENT

Description

On March 8, 2023, at 10:00 MST (17:00 UTC), DigiCert will begin updating the default public issuance of TLS/SSL certificate to new, public, fifth-generation (G5) root and intermediate CA (ICA) certificate hierarchy.
 

Important:

DigiCert will continue to update this article as new information and cross-signed roots become available.

 

DigiCert brand certificates

Brand Validation type Product
DigiCert

OV

  • Basic OV
  • Secure Site OV
  • Secure Site Pro SSL
  • Cloud
  • Standard SSL
  • Multi-Domain SSL
  • Wildcard
  • Secure Site SSL
  • Secure Site Multi-Domain SSL
  • Secure Site Wildcard SSL
DigiCert EV
  • Basic EV
  • Secure Site EV
  • Secure Site Pro EV SSL
  • Extended Validation SSL
  • EV Multi-Domain SSL
  • Secure Site EV SSL
  • Secure Site EV Multi-Domain SSL
GeoTrust DV
  • GeoTrust DV SSL
  • GeoTrust Cloud DV
  • GeoTrust Standard DV
  • GeoTrust Wildcard DV
GeoTrust OV
  • GeoTrust TrueBusiness ID OV
GeoTrust EV
  • GeoTrust TrueBusiness ID EV
RapidSSL DV
  • RapidSSL Standard DV
  • RapidSSL Wildcard DV
Thawte DV
  • Thawte SSL 123 DV
Thawte OV
  • Thawte SSL Webserver OV
Thawte EV
  • Thawte SSL Webserver EV
Encryption Everywhere DV
  • Encryption Everywhere DV
 

Why is DigiCert moving to new root and ICA certificates?

The industry now requires Certificate Authorities (CAs) to move away from multipurposeroots and ICA certificates to reduce the scope of certificate issuance from any given certificate chain. This change mitigates the impact of changes in the industry and CA/Browser Forum guidelines for root, ICA, and end-entity certificates. For more information, see Mozilla's CA/Prioritization.

Each new single-purpose G5 root chains to a single-purpose ICA certificate. Each new single-purpose G5 ICA certificate will only issue a single type of end-entity certificate.

1Note: Multipurpose root and ICA certificates issue different types of certificates, such as TLS, code signing, and client. The new G5 root and ICA certificates restrict each type of certificate to its own dedicated hierarchy.

What are root and ICA certificates used for?

Root certificates

Root certificates are the anchor of public certificate trust. CAs work with operating systems, browsers, and other applications to get their root certificates included in trust stores to ensure that your public certificates are trusted.

CAs use public root certificates to issue Intermediate CA certificates. They don't use public root certificates to issue your public TLS certificates.

ICA certificates

CAs use ICA certificates to issue TLS and other digital certificates. The ICA certificate links your TLS certificate to the trusted root certificate, enabling browsers and other applications to trust it.

For more information about certificate chains and how they work, see How Certificate Chains Work.

How do new root and ICA certificates affect me?

New ICA certificates

Rolling out new ICA certificates typically doesn't require additional work as long as you always install the DigiCert-provided ICA certificate when installing your TLS certificate.

With new ICAs, no action is required unless you do any of the following:

  • Pin ICA certificates
  • Hard-code the acceptance of ICA certificates
  • Operate a trust store

If you do any of the above, we recommend updating your environment before March 8, 2023. Stop pinning or hard-coding ICA certificate acceptance or make the necessary changes to ensure certificates issued from the new ICA certificates are trusted (in other words, they can chain up to their ICA and trusted root certificates).


New root certificates

Rolling out new root certificates typically doesn't require additional work* unless you do any of the following:

  • Pin root certificates
  • Hard-code the acceptance of root certificates
  • Operate a trust store

If you do any of the above, we recommend updating your environment before March 8, 2023. Stop pinning or hard-coding root certificate acceptance and distribute DigiCert G5 roots to the local trust stores to ensure certificates that chain up to the new G5 root certificates are trusted. 

Installing a cross-signed root certificate

Important

Until our new G5 roots have the same ubiquity as the older DigiCert root certificates, we recommend installing the DigiCert-provided cross-signed root along with the intermediate CA certificate included with each TLS/SSL certificate issued from a G5 root certificate hierarchy. 

Installinng the cross-signed root certificate ensures your TLS certificate remains trusted even when its G5 root certificate is missing from a needed trust store.

We will add links to instructions for installing a cross-signed root certificate as soon as they become available.

 

How do root and ICA certificate replacements affect my existing certificates?

Rolling out new root and ICA certificates does not affect your existing certificates. We don't remove old ICA and root certificates from certificate stores until all the certificates issued from them have expired. So active certificates issued from replaced root and ICA certificates continue to be trusted.

However, it does affect existing certificates if you reissue them from March 8, 2023. DigiCert will issue reissued and duplicate certificates from the new G5 root and ICA certificate hierarchies. When installing the reissued or duplicate certificate, make sure to include the new DigiCert-provided ICA and cross-signed root certificates.

Best practice

Install the DigiCert provided ICA certificate

When installing a certificate, you should always include the DigiCert-provided ICA certificate. DigiCert has always recommended this best practice to ensure your certificate can link to its root certificate and be trusted.


Install the DigiCert provided cross-signed root certificate

Installing the cross-signed root certificate ensures your TLS certificate remains trusted even when its G5 root certificate is missing from a needed trust store.
 
Until our new G5 roots have the same ubiquity as the older DigiCert root certificates, you should always install the DigiCert-provided cross-signed root along with the intermediate CA certificate included with each TLS/SSL certificate issued from a G5 root certificate hierarchy.

DigiCert has always recommended this best practice to ensure certificates issued from new root certificate hierarchies are trusted. See Installing a cross-signed root above.
 

What if I need more time?

If you need more time to prepare, contact DigiCert Support. We will set up your account so you can continue to use the root and ICA certificates you are using now.
 

Mozilla to distrust four DigiCert roots in 2024

The industry is moving to dedicated hierarchies, so the longer you stay on the old roots and ICA certificates, the less time you will have to move off them when the industry stops trusting them.

In 2024, Mozilla will distrust four DigiCert root certificates. If your TLS/SSL certificates are issued from any root certificates in the table below, you should move to new G5 root dedicated hierarchies before your root is distrusted.


Mozilla certificate distrust and dates

Root certificate Mozilla distrust date**
Baltimore CyberTrust Root April 15, 2024
DigiCert Assured ID Root CA November 10, 2024
DigiCert Global Root CA November 10, 2024
DigiCert High Assurance EV Root CA November 10, 2024
**TLS/SSL certificates issued before these dates will remain trusted until they expire. However, new certificates issued from these dates will no longer be trusted, including reissues and duplicates.


Root and Intermediate CA certificate replacements


Visit the DigiCert Trusted Root Authority Certificates page to download copies of DigiCert ICA and root certificates.
 
G5 TLS Root certificates

New root certificate Not valid after Serial number Test URL
DigiCert TLS ECC P384 Root G5 January 14, 2046, at 23:59:59 UTC 09:E0:93:65:AC:F7:D9:C8:B9:3E:1C:0B:04:2A:2E:F3 Test URL
DigiCert TLS RSA4096 Root G5 January 14, 2046, at 23:59:59 UTC 08:F9:B4:78:A8:FA:7E:DA:6A:33:37:89:DE:7C:CF:8A Test URL
 

G5 Intermediate CA certificates
 
New Intermediate CA certificate Issuing root CA certificate
DigiCert G5 TLS ECC SHA384 2021 CA1 DigiCert TLS ECC P384 Root G5
DigiCert G5 TLS RSA4096 SHA384 2021 CA1 DigiCert TLS RSA4096 Root G5
GeoTrust G5 TLS ECC P-384 SHA384 2022 CA1 DigiCert TLS ECC P384 Root G5
GeoTrust G5 TLS RSA4096 SHA384 2022 CA1 DigiCert TLS RSA4096 Root G5
Thawte G5 TLS ECC P-384 SHA384 2022 CA1 DigiCert TLS ECC P384 Root G5
Thawte G5 TLS RSA4096 SHA384 2022 CA1 DigiCert TLS RSA4096 Root G5
RapidSSL G5 TLS ECC P-384 SHA384 2022 CA1 DigiCert TLS ECC P384 Root G5
RapidSSL G5 TLS RSA4096 SHA384 2022 CA1 DigiCert TLS RSA4096 Root G5