DigiCert root and intermediate CA certificate updates 2023

Description

On March 8, 2023, at 10:00 MST (17:00 UTC), DigiCert will begin updating the default public issuance of TLS/SSL certificate to our public, second-generation (G2) root, and intermediate CA (ICA) certificate hierarchies.


  Important:
  DigiCert will update this article as new information becomes available.

Why will DigiCert start issuing public TLS/SSL certificates from G2 root and intermediate CA certificate hierarchies?

In 2025, Mozilla will begin distrusting older DigiCert root certificates. On the dates specified in the Mozilla certificate distrust and dates table below, Mozilla will also stop trusting your active end-entity certificates: first, TLS/SSL certificates and then S/MIME certificates.

DigiCert has timed the move to G2 root certificate hierarchies to ensure your existing certificates will not be affected by the Mozilla distrust policy. Your active TLS/SSL certificates issued from the G1 hierarchy will remain trusted until they expire.

Mozilla certificate distrust and dates

GenerationRoot certificate*Mozilla TLS distrust date*Mozilla S/MIME distrust date
 G1 Baltimore CyberTrust Root April 15, 2025The BaltimoreCyberTrust Root certificate expires on May 12, 2025. N/AThe BaltimoreCyberTrust Root certificate expires on May 12, 2025.
 G1 DigiCert Assured ID Root CA April 15, 2026 April 15. 2029
 G1 DigiCert Global Root CA April 15, 2026 April 15. 2029
 G1 DigiCert High Assurance EV Root CA April 15, 2026 April 15. 2029
 G2 DigiCert Global Root G2 April 15. 2029 April 15. 2032
 G5 DigiCert TLS RSA4096 Root G5 Jan 15, 2036 N/A
This G5 Hierarchy doesn’t issue S/MIME certificates.

 *On the distrust date, Mozilla will also stop trusting your active end-entity certificates: first TLS/SSL certificates and then S/MIME certificates. 

Affected DigiCert brands

 Brand Validation type Product
 DigiCert OVBasic OVSecure Site OVSecure Site Pro SSLCloudStandard SSLMulti-Domain SSLWildcardSecure Site SSLSecure Site Multi-Domain SSLSecure Site Wildcard SSL
 DigiCert EVBasic EVSecure Site EVSecure Site Pro EV SSLExtended Validation SSLEV Multi-Domain SSLSecure Site EV SSLSecure Site EV Multi-Domain SSL
 GeoTrust DVGeoTrust DV SSLGeoTrust Cloud DVGeoTrust Standard DVGeoTrust Wildcard DV
 GeoTrust OVGeoTrust TrueBusiness ID OV
 GeoTrust EVGeoTrust TrueBusiness ID EV
 RapidSSL DVRapidSSL Standard DVRapidSSL Wildcard DV
 Thawte DVThawte SSL 123 DV
 Thawte OVThawte SSL Webserver OV
 Thawte EVThawte SSL Webserver EV
 Encryption Everywhere DVEncryption Everywhere DV

March 8, 2023, ICA/Root Replacements

 Certificate brand G1 ICA certificate – currentG1 root certificate – current G2 ICA certificate – new G2 Root certificate – new
 DigiCertDigiCert TLS RSA SHA256 2020 CA1DigiCert Global Root CADigiCert Global G2 TLS RSA SHA256 2020 CA1DigiCert Global Root G2
 DigiCertDigiCert SHA2 Extended Validation Server CADigiCert High Assurance EV Root CADigiCert EV RSA CA G2DigiCert Global Root G2
 ThawteThawte RSA CA 2018DigiCert Global Root CAThawte TLS RSA CA G1DigiCert Global Root G2
 ThawteThawte EV RSA CA 2018DigiCert High Assurance EV Root CAThawte EV RSA CA G2DigiCert Global Root G2
 GeoTrustGeoTrust RSA CA 2018DigiCert Global Root CAGeoTrust TLS RSA CA G1DigiCert Global Root G2
 GeoTrustGeoTrust EV RSA CA 2018DigiCert High Assurance EV Root CAGeoTrust EV RSA CA G2DigiCert Global Root G2
 GeoTrustGeoTrust Global TLS RSA4096 SHA256 2022 CA1DigiCert Global Root CAGeoTrust TLS RSA CA G1DigiCert Global Root G2
 RapidSSLRapidSSL Global TLS RSA4096 SHA256 2022 CA1DigiCert Global Root CARapidSSL TLS RSA CA G1DigiCert Global Root G2
 Encryption EverywhereEncryption Everywhere DV TLS CA – G1DigiCert Global Root CAEncryption Everywhere DV TLS CA – G2DigiCert Global Root G2

What are root and ICA certificates used for?

Root certificates

Root certificates are the anchor of public certificate trust. Certificate Authorities (CAs) work with operating systems, browsers, and other applications to get their root certificates included in trust stores to ensure that your public certificates are trusted.

CAs use public root certificates to issue Intermediate CA certificates. They don’t use root certificates to issue your public TLS certificates.

ICA certificates

CAs use ICA certificates to issue TLS and other digital certificates. The ICA certificate also links your TLS certificate to the root certificate in a trust store, enabling browsers and other applications to trust it.

For more information about certificate chains and how they work, see How Certificate Chains Work.

How do switching root and ICA certificates affect me?

Switching to a different certificate hierarchy typically doesn’t require additional work as long as you always install the DigiCert-provided ICA certificate when installing your TLS certificate.

With the change to G2 certificate hierarchies, no action is required unless you do any of the following:

  • Pin ICA/Root certificates
  • Hard-code the acceptance of ICA/Root certificates
  • Operate a trust store

If you do any of the above, we recommend updating your environment before March 8, 2023. Stop pinning or hard-coding root or ICA certificate acceptance or make the necessary changes to ensure certificates issued from the G2 certificate hierarchy are trusted (in other words, they can chain up to their trusted G2 root certificate).

What if I don’t want to stop pinning or hard coding certificate trust?

DigiCert will eventually replace the G2 root and ICA certificate hierarchies with our new single-purpose G5 root and ICA certificate hierarchies.

We recommend moving straight to DigiCert’s new single-purpose G5 root and ICA certificate hierarchies for issuing your TLS/SSL certificates. Then, you will have the option to issue certificates from a G5 ICA certificate. Because the G5 roots lack the ubiquity of our older roots, you must add a fourth certificate to your certificate chain, a cross-signed root, to ensure your certificates are trusted. However, you will only need to prepare your environment once.

See our DigiCert G5 Root and Intermediate CA Certificate Update knowledge base article for more information.

How do switching root and ICA certificates affect my existing certificates?


Switching to the G2 root and ICA certificates does not affect your existing certificates. DigiCert has timed the move to G2 root certificate hierarchies to ensure your existing certificates will not be affected by the Mozilla distrust policy. Active TLS/SSL certificates issued from a G1 hierarchy will remain trusted until they expire.

However, newly issued, renewed, reissued, and duplicate certificates issued after March 8, 2023, will chain to the G2 root hierarchy. When installing your certificates, make sure to include the DigiCert-provided ICA certificate.

Best practice: Install the DigiCert provided ICA certificate

When installing a certificate, you should always include the DigiCert-provided ICA certificate. DigiCert has always recommended this best practice to ensure your certificate can link to its root certificate and be trusted.

What if I need more time to update my environment?


If you need more time to prepare, contact DigiCert Support. We will set up your account so you can continue to use the first-generation root and ICA certificates you are using now.

When deciding how long to stay on your current root, remember that Mozilla root distrust includes the ICA certificate and TLS/SSL certificates linked to the root. To remain trusted, all active certificates, including reissues and duplicates, must be reissued from a G2 or newer root hierarchy before the root certificate is distrusted.

Scroll to top