Ask a Question

Advanced Search

Alert ID : GN151122215439

Last Modified : 11/16/2022

DigiCert root and intermediate CA certificate updates 2023

Description

On March 8, 2023, at 10:00 MST (17:00 UTC), DigiCert will begin updating the default public issuance of TLS/SSL certificate to our public, second-generation (G2) root, and intermediate CA (ICA) certificate hierarchies.


  Important:

  DigiCert will update this article as new information becomes available.

 

Why will DigiCert start issuing public TLS/SSL certificates from G2 root and intermediate CA certificate hierarchies?

In 2025, Mozilla will begin distrusting older DigiCert root certificates. On the dates specified in the Mozilla certificate distrust and dates table below, Mozilla will also stop trusting your active end-entity certificates: first, TLS/SSL certificates and then S/MIME certificates.

DigiCert has timed the move to G2 root certificate hierarchies to ensure your existing certificates will not be affected by the Mozilla distrust policy. Your active TLS/SSL certificates issued from the G1 hierarchy will remain trusted until they expire.

Mozilla certificate distrust and dates

Generation Root certificate *Mozilla TLS distrust date *Mozilla S/MIME distrust date
 G1

 Baltimore CyberTrust Root

 April 15, 2025

The BaltimoreCyberTrust Root certificate expires on May 12, 2025.

 N/A

The BaltimoreCyberTrust Root certificate expires on May 12, 2025.

 G1  DigiCert Assured ID Root CA

 April 15, 2026

 April 15. 2029
 G1  DigiCert Global Root CA

 April 15, 2026

 April 15. 2029
 G1  DigiCert High Assurance EV Root CA

 April 15, 2026

 April 15. 2029
 G2  DigiCert Global Root G2  April 15. 2029  April 15. 2032
 G5  DigiCert TLS RSA4096 Root G5  Jan 15, 2036  N/A
This G5 Hierarchy doesn't issue S/MIME certificates.

 *On the distrust date, Mozilla will also stop trusting your active end-entity certificates: first TLS/SSL certificates and then S/MIME certificates. 

 

Affected DigiCert brands

 Brand  Validation type  Product
 DigiCert  OV
  • Basic OV
  • Secure Site OV
  • Secure Site Pro SSL
  • Cloud
  • Standard SSL
  • Multi-Domain SSL
  • Wildcard
  • Secure Site SSL
  • Secure Site Multi-Domain SSL
  • Secure Site Wildcard SSL
 DigiCert  EV
  • Basic EV
  • Secure Site EV
  • Secure Site Pro EV SSL
  • Extended Validation SSL
  • EV Multi-Domain SSL
  • Secure Site EV SSL
  • Secure Site EV Multi-Domain SSL
 GeoTrust  DV
  • GeoTrust DV SSL
  • GeoTrust Cloud DV
  • GeoTrust Standard DV
  • GeoTrust Wildcard DV
 GeoTrust  OV
  • GeoTrust TrueBusiness ID OV
 GeoTrust  EV
  • GeoTrust TrueBusiness ID EV
 RapidSSL  DV
  • RapidSSL Standard DV
  • RapidSSL Wildcard DV
 Thawte  DV
  • Thawte SSL 123 DV
 Thawte  OV
  • Thawte SSL Webserver OV
 Thawte  EV
  • Thawte SSL Webserver EV
 Encryption Everywhere  DV
  • Encryption Everywhere DV

 

March 8, 2023, ICA/Root Replacements

 
 Certificate brand  G1 ICA certificate - current G1 root certificate - current  G2 ICA certificate - new  G2 Root certificate - new
 DigiCert DigiCert TLS RSA SHA256 2020 CA1 DigiCert Global Root CA DigiCert Global G2 TLS RSA SHA256 2020 CA1 DigiCert Global Root G2
 DigiCert DigiCert SHA2 Extended Validation Server CA DigiCert High Assurance EV Root CA DigiCert EV RSA CA G2 DigiCert Global Root G2
 Thawte Thawte RSA CA 2018 DigiCert Global Root CA Thawte TLS RSA CA G1 DigiCert Global Root G2
 Thawte Thawte EV RSA CA G2 DigiCert High Assurance EV Root CA Thawte EV RSA CA G2 DigiCert Global Root G2
 GeoTrust GeoTrust RSA CA 2018 DigiCert Global Root CA GeoTrust TLS RSA CA G1 DigiCert Global Root G2
 GeoTrust GeoTrust EV RSA CA 2018 DigiCert High Assurance EV Root CA GeoTrust EV RSA CA G2 DigiCert Global Root G2
 GeoTrust GeoTrust Global TLS RSA4096 SHA256 2022 CA1 DigiCert Global Root CA GeoTrust TLS RSA CA G1 DigiCert Global Root G2
 RapidSSL RapidSSL Global TLS RSA4096 SHA256 2022 CA1 DigiCert Global Root CA RapidSSL TLS RSA CA G1 DigiCert Global Root G2
 Encryption Everywhere Encryption Everywhere DV TLS CA - G1 DigiCert Global Root CA Encryption Everywhere DV TLS CA - G2 DigiCert Global Root G2

 

What are root and ICA certificates used for?

Root certificates

Root certificates are the anchor of public certificate trust. Certificate Authorities (CAs) work with operating systems, browsers, and other applications to get their root certificates included in trust stores to ensure that your public certificates are trusted.

CAs use public root certificates to issue Intermediate CA certificates. They don't use root certificates to issue your public TLS certificates.

ICA certificates

CAs use ICA certificates to issue TLS and other digital certificates. The ICA certificate also links your TLS certificate to the root certificate in a trust store, enabling browsers and other applications to trust it.

For more information about certificate chains and how they work, see How Certificate Chains Work.

How do switching root and ICA certificates affect me?

Switching to a different certificate hierarchy typically doesn't require additional work as long as you always install the DigiCert-provided ICA certificate when installing your TLS certificate.

With the change to G2 certificate hierarchies, no action is required unless you do any of the following:

  • Pin ICA/Root certificates
  • Hard-code the acceptance of ICA/Root certificates
  • Operate a trust store

If you do any of the above, we recommend updating your environment before March 8, 2023. Stop pinning or hard-coding root or ICA certificate acceptance or make the necessary changes to ensure certificates issued from the G2 certificate hierarchy are trusted (in other words, they can chain up to their trusted G2 root certificate).

What if I don’t want to stop pinning or hard coding certificate trust?

DigiCert will eventually replace the G2 root and ICA certificate hierarchies with our new single-purpose G5 root and ICA certificate hierarchies.

We recommend moving straight to DigiCert’s new single-purpose G5 root and ICA certificate hierarchies for issuing your TLS/SSL certificates. Then, you will have the option to issue certificates from a G5 ICA certificate. Because the G5 roots lack the ubiquity of our older roots, you must add a fourth certificate to your certificate chain, a cross-signed root, to ensure your certificates are trusted. However, you will only need to prepare your environment once.

See our DigiCert G5 Root and Intermediate CA Certificate Update knowledge base article for more information.

How do switching root and ICA certificates affect my existing certificates?


Switching to the G2 root and ICA certificates does not affect your existing certificates. DigiCert has timed the move to G2 root certificate hierarchies to ensure your existing certificates will not be affected by the Mozilla distrust policy. Active TLS/SSL certificates issued from a G1 hierarchy will remain trusted until they expire.

However, newly issued, renewed, reissued, and duplicate certificates issued after March 8, 2023, will chain to the G2 root hierarchy. When installing your certificates, make sure to include the DigiCert-provided ICA certificate.

Best practice: Install the DigiCert provided ICA certificate

When installing a certificate, you should always include the DigiCert-provided ICA certificate. DigiCert has always recommended this best practice to ensure your certificate can link to its root certificate and be trusted.

What if I need more time to update my environment?


If you need more time to prepare, contact DigiCert Support. We will set up your account so you can continue to use the first-generation root and ICA certificates you are using now.

When deciding how long to stay on your current root, remember that Mozilla root distrust includes the ICA certificate and TLS/SSL certificates linked to the root. To remain trusted, all active certificates, including reissues and duplicates, must be reissued from a G2 or newer root hierarchy before the root certificate is distrusted.