Description
On March 8, 2023, at 10:00 MST (17:00 UTC), DigiCert will begin updating the default public issuance of TLS/SSL certificate to our public, second-generation (G2) root, and intermediate CA (ICA) certificate hierarchies.
Important: DigiCert will update this article as new information becomes available. |
Why will DigiCert start issuing public TLS/SSL certificates from G2 root and intermediate CA certificate hierarchies?
In 2025, Mozilla will begin distrusting older DigiCert root certificates. On the dates specified in the Mozilla certificate distrust and dates table below, Mozilla will also stop trusting your active end-entity certificates: first, TLS/SSL certificates and then S/MIME certificates.
DigiCert has timed the move to G2 root certificate hierarchies to ensure your existing certificates will not be affected by the Mozilla distrust policy. Your active TLS/SSL certificates issued from the G1 hierarchy will remain trusted until they expire.
Mozilla certificate distrust and dates
Generation | Root certificate | *Mozilla TLS distrust date | *Mozilla S/MIME distrust date |
G1 | Baltimore CyberTrust Root | April 15, 2025The BaltimoreCyberTrust Root certificate expires on May 12, 2025. | N/AThe BaltimoreCyberTrust Root certificate expires on May 12, 2025. |
G1 | DigiCert Assured ID Root CA | April 15, 2026 | April 15. 2029 |
G1 | DigiCert Global Root CA | April 15, 2026 | April 15. 2029 |
G1 | DigiCert High Assurance EV Root CA | April 15, 2026 | April 15. 2029 |
G2 | DigiCert Global Root G2 | April 15. 2029 | April 15. 2032 |
G5 | DigiCert TLS RSA4096 Root G5 | Jan 15, 2036 | N/A This G5 Hierarchy doesn’t issue S/MIME certificates. |
*On the distrust date, Mozilla will also stop trusting your active end-entity certificates: first TLS/SSL certificates and then S/MIME certificates. |
Affected DigiCert brands
Brand | Validation type | Product |
DigiCert | OV | Basic OVSecure Site OVSecure Site Pro SSLCloudStandard SSLMulti-Domain SSLWildcardSecure Site SSLSecure Site Multi-Domain SSLSecure Site Wildcard SSL |
DigiCert | EV | Basic EVSecure Site EVSecure Site Pro EV SSLExtended Validation SSLEV Multi-Domain SSLSecure Site EV SSLSecure Site EV Multi-Domain SSL |
GeoTrust | DV | GeoTrust DV SSLGeoTrust Cloud DVGeoTrust Standard DVGeoTrust Wildcard DV |
GeoTrust | OV | GeoTrust TrueBusiness ID OV |
GeoTrust | EV | GeoTrust TrueBusiness ID EV |
RapidSSL | DV | RapidSSL Standard DVRapidSSL Wildcard DV |
Thawte | DV | Thawte SSL 123 DV |
Thawte | OV | Thawte SSL Webserver OV |
Thawte | EV | Thawte SSL Webserver EV |
Encryption Everywhere | DV | Encryption Everywhere DV |
March 8, 2023, ICA/Root Replacements
Certificate brand | G1 ICA certificate – current | G1 root certificate – current | G2 ICA certificate – new | G2 Root certificate – new |
DigiCert | DigiCert TLS RSA SHA256 2020 CA1 | DigiCert Global Root CA | DigiCert Global G2 TLS RSA SHA256 2020 CA1 | DigiCert Global Root G2 |
DigiCert | DigiCert SHA2 Extended Validation Server CA | DigiCert High Assurance EV Root CA | DigiCert EV RSA CA G2 | DigiCert Global Root G2 |
Thawte | Thawte RSA CA 2018 | DigiCert Global Root CA | Thawte TLS RSA CA G1 | DigiCert Global Root G2 |
Thawte | Thawte EV RSA CA 2018 | DigiCert High Assurance EV Root CA | Thawte EV RSA CA G2 | DigiCert Global Root G2 |
GeoTrust | GeoTrust RSA CA 2018 | DigiCert Global Root CA | GeoTrust TLS RSA CA G1 | DigiCert Global Root G2 |
GeoTrust | GeoTrust EV RSA CA 2018 | DigiCert High Assurance EV Root CA | GeoTrust EV RSA CA G2 | DigiCert Global Root G2 |
GeoTrust | GeoTrust Global TLS RSA4096 SHA256 2022 CA1 | DigiCert Global Root CA | GeoTrust TLS RSA CA G1 | DigiCert Global Root G2 |
RapidSSL | RapidSSL Global TLS RSA4096 SHA256 2022 CA1 | DigiCert Global Root CA | RapidSSL TLS RSA CA G1 | DigiCert Global Root G2 |
Encryption Everywhere | Encryption Everywhere DV TLS CA – G1 | DigiCert Global Root CA | Encryption Everywhere DV TLS CA – G2 | DigiCert Global Root G2 |
What are root and ICA certificates used for?
Root certificates
Root certificates are the anchor of public certificate trust. Certificate Authorities (CAs) work with operating systems, browsers, and other applications to get their root certificates included in trust stores to ensure that your public certificates are trusted.
CAs use public root certificates to issue Intermediate CA certificates. They don’t use root certificates to issue your public TLS certificates.
ICA certificates
CAs use ICA certificates to issue TLS and other digital certificates. The ICA certificate also links your TLS certificate to the root certificate in a trust store, enabling browsers and other applications to trust it.
For more information about certificate chains and how they work, see How Certificate Chains Work.
How do switching root and ICA certificates affect me?
Switching to a different certificate hierarchy typically doesn’t require additional work as long as you always install the DigiCert-provided ICA certificate when installing your TLS certificate.
With the change to G2 certificate hierarchies, no action is required unless you do any of the following:
- Pin ICA/Root certificates
- Hard-code the acceptance of ICA/Root certificates
- Operate a trust store
If you do any of the above, we recommend updating your environment before March 8, 2023. Stop pinning or hard-coding root or ICA certificate acceptance or make the necessary changes to ensure certificates issued from the G2 certificate hierarchy are trusted (in other words, they can chain up to their trusted G2 root certificate).
What if I don’t want to stop pinning or hard coding certificate trust?
DigiCert will eventually replace the G2 root and ICA certificate hierarchies with our new single-purpose G5 root and ICA certificate hierarchies.
We recommend moving straight to DigiCert’s new single-purpose G5 root and ICA certificate hierarchies for issuing your TLS/SSL certificates. Then, you will have the option to issue certificates from a G5 ICA certificate. Because the G5 roots lack the ubiquity of our older roots, you must add a fourth certificate to your certificate chain, a cross-signed root, to ensure your certificates are trusted. However, you will only need to prepare your environment once.
See our DigiCert G5 Root and Intermediate CA Certificate Update knowledge base article for more information.
How do switching root and ICA certificates affect my existing certificates?
Switching to the G2 root and ICA certificates does not affect your existing certificates. DigiCert has timed the move to G2 root certificate hierarchies to ensure your existing certificates will not be affected by the Mozilla distrust policy. Active TLS/SSL certificates issued from a G1 hierarchy will remain trusted until they expire.
However, newly issued, renewed, reissued, and duplicate certificates issued after March 8, 2023, will chain to the G2 root hierarchy. When installing your certificates, make sure to include the DigiCert-provided ICA certificate.
Best practice: Install the DigiCert provided ICA certificate
When installing a certificate, you should always include the DigiCert-provided ICA certificate. DigiCert has always recommended this best practice to ensure your certificate can link to its root certificate and be trusted.
What if I need more time to update my environment?
If you need more time to prepare, contact DigiCert Support. We will set up your account so you can continue to use the first-generation root and ICA certificates you are using now.
When deciding how long to stay on your current root, remember that Mozilla root distrust includes the ICA certificate and TLS/SSL certificates linked to the root. To remain trusted, all active certificates, including reissues and duplicates, must be reissued from a G2 or newer root hierarchy before the root certificate is distrusted.