DigiCert KnowledgeBase - Technical Support-hero

Knowledge Base

DigiCert root and intermediate CA certificate updates 2023

Solution ID : GN151122215439
Last Modified : 11/01/2023

Description

On March 8, 2023, at 10:00 MST (17:00 UTC), DigiCert will begin updating the default public issuance of TLS/SSL certificate to our public, second-generation (G2) root, and intermediate CA (ICA) certificate hierarchies.

Important:

DigiCert will update this article as new information becomes available.

Why will DigiCert start issuing public TLS/SSL certificates from G2 root and intermediate CA certificate hierarchies?

In 2025, Mozilla will begin distrusting older DigiCert root certificates. On the dates specified in the Mozilla certificate distrust and dates table below, Mozilla will also stop trusting your active end-entity certificates: first, TLS/SSL certificates and then S/MIME certificates.

DigiCert has timed the move to G2 root certificate hierarchies to ensure your existing certificates will not be affected by the Mozilla distrust policy. Your active TLS/SSL certificates issued from the G1 hierarchy will remain trusted until they expire.

Secure up to 250 subdomains with a DigiCert wildcard TLS/SSL certificate.

Buy now

Mozilla certificate distrust and dates

Generation Root certificate *Mozilla TLS distrust date *Mozilla S/MIME distrust date
G1 Baltimore CyberTrust Root

April 15, 2025

The BaltimoreCyberTrust Root certificate expires on May 12, 2025.

N/A

The BaltimoreCyberTrust Root certificate expires on May 12, 2025.
G1 DigiCert Assured ID Root CA April 15, 2026 April 15. 2029
G1 DigiCert Global Root CA April 15, 2026 April 15. 2029
G1 DigiCert High Assurance EV Root CA April 15, 2026 April 15. 2029
G2 DigiCert Global Root G2 April 15. 2029 April 15. 2032
G5 DigiCert TLS RSA4096 Root G5 Jan 15, 2036

N/A

This G5 Hierarchy doesn't issue S/MIME certificates.
*On the distrust date, Mozilla will also stop trusting your active end-entity certificates: first TLS/SSL certificates and then S/MIME certificates.

Affected DigiCert brands

Brand Validation type Product
DigiCert OV
  • Basic OV
  • Secure Site OV
  • Secure Site Pro SSL
  • Cloud
  • Standard SSL
  • Multi-Domain SSL
  • Wildcard
  • Secure Site SSL
  • Secure Site Multi-Domain SSL
  • Secure Site Wildcard SSL
DigiCert EV
  • Basic EV
  • Secure Site EV
  • Secure Site Pro EV SSL
  • Extended Validation SSL
  • EV Multi-Domain SSL
  • Secure Site EV SSL
  • Secure Site EV Multi-Domain SSL
GeoTrust DV
  • GeoTrust DV SSL
  • GeoTrust Cloud DV
  • GeoTrust Standard DV
  • GeoTrust Wildcard DV
GeoTrust OV
  • GeoTrust TrueBusiness ID OV
GeoTrust EV
  • GeoTrust TrueBusiness ID EV
RapidSSL DV
  • RapidSSL Standard DV
  • RapidSSL Wildcard DV
Thawte DV
  • Thawte SSL 123 DV
Thawte OV
  • Thawte SSL Webserver OV
Thawte EV
  • Thawte SSL Webserver EV
Encryption Everywhere DV
  • Encryption Everywhere DV

March 8, 2023, ICA/Root Replacements

Certificate brand G1 ICA certificate - current G1 root certificate - current G2 ICA certificate - new G2 Root certificate - new
DigiCert DigiCert TLS RSA SHA256 2020 CA1 DigiCert Global Root CA DigiCert Global G2 TLS RSA SHA256 2020 CA1 DigiCert Global Root G2
DigiCert DigiCert SHA2 Extended Validation Server CA DigiCert High Assurance EV Root CA DigiCert EV RSA CA G2 DigiCert Global Root G2
Thawte Thawte RSA CA 2018 DigiCert Global Root CA Thawte TLS RSA CA G1 DigiCert Global Root G2
Thawte Thawte EV RSA CA 2018 DigiCert High Assurance EV Root CA Thawte EV RSA CA G2 DigiCert Global Root G2
GeoTrust GeoTrust RSA CA 2018 DigiCert Global Root CA GeoTrust TLS RSA CA G1 DigiCert Global Root G2
GeoTrust GeoTrust EV RSA CA 2018 DigiCert High Assurance EV Root CA GeoTrust EV RSA CA G2 DigiCert Global Root G2
GeoTrust GeoTrust Global TLS RSA4096 SHA256 2022 CA1 DigiCert Global Root CA GeoTrust TLS RSA CA G1 DigiCert Global Root G2
RapidSSL RapidSSL Global TLS RSA4096 SHA256 2022 CA1 DigiCert Global Root CA RapidSSL TLS RSA CA G1 DigiCert Global Root G2
Encryption Everywhere Encryption Everywhere DV TLS CA - G1 DigiCert Global Root CA Encryption Everywhere DV TLS CA - G2 DigiCert Global Root G2

What are root and ICA certificates used for?

Root certificates

Root certificates are the anchor of public certificate trust. Certificate Authorities (CAs) work with operating systems, browsers, and other applications to get their root certificates included in trust stores to ensure that your public certificates are trusted.

CAs use public root certificates to issue Intermediate CA certificates. They don't use root certificates to issue your public TLS certificates.

ICA certificates

CAs use ICA certificates to issue TLS and other digital certificates. The ICA certificate also links your TLS certificate to the root certificate in a trust store, enabling browsers and other applications to trust it.

For more information about certificate chains and how they work, see How Certificate Chains Work.

How do switching root and ICA certificates affect me?

Switching to a different certificate hierarchy typically doesn't require additional work as long as you always install the DigiCert-provided ICA certificate when installing your TLS certificate.

With the change to G2 certificate hierarchies, no action is required unless you do any of the following:

  • Pin ICA/Root certificates
  • Hard-code the acceptance of ICA/Root certificates
  • Operate a trust store

If you do any of the above, we recommend updating your environment before March 8, 2023. Stop pinning or hard-coding root or ICA certificate acceptance or make the necessary changes to ensure certificates issued from the G2 certificate hierarchy are trusted (in other words, they can chain up to their trusted G2 root certificate).

What if I don’t want to stop pinning or hard coding certificate trust?

DigiCert will eventually replace the G2 root and ICA certificate hierarchies with our new single-purpose G5 root and ICA certificate hierarchies.

We recommend moving straight to DigiCert’s new single-purpose G5 root and ICA certificate hierarchies for issuing your TLS/SSL certificates. Then, you will have the option to issue certificates from a G5 ICA certificate. Because the G5 roots lack the ubiquity of our older roots, you must add a fourth certificate to your certificate chain, a cross-signed root, to ensure your certificates are trusted. However, you will only need to prepare your environment once.

See our DigiCert G5 Root and Intermediate CA Certificate Update knowledge base article for more information.

How do switching root and ICA certificates affect my existing certificates?

Switching to the G2 root and ICA certificates does not affect your existing certificates. DigiCert has timed the move to G2 root certificate hierarchies to ensure your existing certificates will not be affected by the Mozilla distrust policy. Active TLS/SSL certificates issued from a G1 hierarchy will remain trusted until they expire.

However, newly issued, renewed, reissued, and duplicate certificates issued after March 8, 2023, will chain to the G2 root hierarchy. When installing your certificates, make sure to include the DigiCert-provided ICA certificate.

Best practice: Install the DigiCert provided ICA certificate

When installing a certificate, you should always include the DigiCert-provided ICA certificate. DigiCert has always recommended this best practice to ensure your certificate can link to its root certificate and be trusted.

What if I need more time to update my environment?

If you need more time to prepare, contact DigiCert Support. We will set up your account so you can continue to use the first-generation root and ICA certificates you are using now.

When deciding how long to stay on your current root, remember that Mozilla root distrust includes the ICA certificate and TLS/SSL certificates linked to the root. To remain trusted, all active certificates, including reissues and duplicates, must be reissued from a G2 or newer root hierarchy before the root certificate is distrusted.

  • DigiCert Logo

    The most-trusted global provider of high-assurance TLS/SSL, PKI, IoT and signing solutions.