DigiCert moving to new G5 root and intermediate CA certificates
On March 8, 2023, at 10:00 MST (17:00 UTC), DigiCert will begin updating the default public issuance of TLS/SSL certificates to new, public, fifth-generation (G5) root and intermediate CA (ICA) certificate hierarchies.
TLS/SSL certificate brands:
For more information, see our DigiCert G5 Root and Intermediate CA Certificate Update knowledge base article. We recommend you bookmark this page, as we will continue to update this article as new information, ICA certificates, and cross-signed roots become available.
Why is DigiCert moving to new root and intermediate certificates?
The industry now requires Certificate Authorities (CAs) to stop using multipurpose roots and ICA certificates and start using single-purpose certificates instead.
For example, DigiCert has a single-purpose G5 root and ICA certificate for issuing RSA TLS/SSL certificates and another a single-purpose G5 root and ICA certificate for issuing ECC TLS/SSL certificates.
For more information about moving to single-purpose root and ICA certificates, see Mozilla's CA/Prioritization.
How do new root and intermediate CA certificates affect me?
From March 8, 2023, DigiCert will issue new public TLS/SSL certificates from the new G5 root and ICA certificate dedicated hierarchies. At this time, no action is required* unless you do any of the following:
We recommend updating your environment before March 8, 2023. Stop pinning or hard-coding root or ICA certificate acceptance and distribute DigiCert G5 roots to the local trust stores to ensure TLS/SSL certificates that chain up to the new root certificates are trusted.
How do the new G5 root and ICA certificates affect my existing TLS/SSL certificates?
Rolling out new root and intermediate CA (ICA) certificates does not affect existing TLS/SSL certificates. We don't remove old ICA and root certificates from certificate stores until all the certificates issued from them have expired. Active TLS/SSL certificates issued from a replaced root and ICA certificates remain trusted until they expire.
However, it does affect existing TLS/SSL certificates if you reissue or duplicate them from March 8, 2023. DigiCert will issue all new TLS/SSL certificates from the new G5 root and ICA certificate chains, including reissues and duplicates.
*Installing a cross-signed root certificate
Until our new G5 roots have the same ubiquity as the older DigiCert root certificates, we recommend installing the DigiCert-provided cross-signed root along with the intermediate CA certificate included with each TLS/SSL certificate issued from a G5 root certificate hierarchy.
Installing the cross-signed root certificate ensures your TLS certificate remains trusted even when its G5 root certificate is missing from a needed trust store.
We will add a link to instructions for installing a cross-signed root certificate as soon as they become available.
What if I need more time to update my environment?
If you need more time to prepare, contact DigiCert Support. We will set up your account so you can continue to use the root and ICA certificates you are using now.
Mozilla to distrust four DigiCert roots in 2024
The industry is moving to dedicated hierarchies, so the longer you stay on the old roots and ICA certificates, the less time you will have to move off them when the industry stops trusting them.
In 2024, Mozilla will distrust four DigiCert root certificates**:
If your certificates are issued from these certificate root hierarchies, you should move to new G5 root dedicated hierarchies before Mozilla distrusts your root certificate.
**TLS/SSL certificates issued before these dates will remain trusted until they expire. However, certificates issued from these dates, including reissues and duplicates, will no longer be trusted.