Spring changes in root/intermediate certificates

8 Apr 2026 | Jindřich Zechmeister

During April and May 2026, selected root and intermediate certificates within the Mozilla and DigiCert ecosystems will be revoked. This article summarizes the reasons for these changes and their practical implications.

Recently

In the next two months, we will face a double distrust of several root and intermediate certificates (ICA), which are being revoked due to compatibility with Mozilla Root and Chrome Root programs. However, you don't have to worry, as this doesn't pose any complication for our customers.

Mozilla distrust of G1 Root certificates

Starting from April 15th, 2026, Mozilla will cease to trust several older G1 root certificates. The reason is not their compromise, but the fact that these G1 (first generation) root certificates were multipurpose. They were used for issuing not only TLS certificates for WebPKI but also for other products like Document Signing. Both Mozilla and Google want separate ICA certificate hierarchies to be used for WebPKI and browsers and not to combine different product types.

Specifically, these root certificates are involved:

  • DigiCert Assured ID Root CA
  • DigiCert Global Root CA
  • DigiCert High Assurance EV Root CA

These root certificates will cease to be trusted in Mozilla products as of April 15th, 2026, and DigiCert has already stopped using them for precautionary reasons. Newly issued certificates no longer use these root certificates, and existing ones will be valid until their expiration.

What does this mean for our customers?

The majority of customers will not even encounter this issue, as they issue their certificates with a newer root certificate (G2 or G3). The need for reissue and root replacement only concerned a small group of users who still used the aforementioned roots. We have individually notified them and assisted with the reissue.

May revocations - G3 and G5 ICA certificates

On May 15th, 2026, DigiCert will revoke several G2 and G3 intermediate certificates, but not the certificates issued from them. They should be regenerated with new intermediates to maintain trustworthiness. The goal of this action is to allocate dedicated intermediates solely for issuing TLS certificates.

ICA revoked by May 15th

ICA certificates intended for issuing TLS certificates:

  • DigiCert Global CA G2
  • DigiCert G2 SMIME RSA4096 SHA384 2024 CA1

ICA certificates intended for Code Signing:

  • DigiCert Global G3 Code Signing ECC SHA384 2021 CA1
  • DigiCert Global G3 Code Signing ECC P256 SHA384 2021 CA1
  • DigiCert Global G3 Code Signing Europe ECC P-384 SHA384 2023 CA1

Two cross-signed G5 roots, which were not commonly used, will also be revoked:

  • G3 Cross Signed DigiCert TLS ECC P384 Root G5
  • G3 Cross Signed DigiCert CS ECC P384 Root G5

What does this mean for our customers?

Regarding these changes taking place on May 15th, we can state right away that the impact on our customers is absolutely zero and there is no need to perform any reissue.

Our recommendations to customers and developers

We have long recommended not to use so-called certificate pinning for applications and other projects using certificates. The trustworthiness of a certificate should be verified against its root certificate and subsequent signatures in the certification chain, and any "hard" control of issuing CAs is very risky for the future. You will introduce a mechanism into applications that will complicate your life later because ICAs will surely change.

Upcoming changes are an example of this, and in the future, all CAs want to rotate their ICA certificates more frequently and create separate hierarchies for different usage purposes. Furthermore, in the coming years, the algorithm used will change with the introduction of PQC, and before that, hybrid certificates, so changes in this direction are inevitable. Use mechanisms other than "CA pinning" that will not break with potential changes to intermediate certificates.

Resources and more information

Previous article