{"id":4622,"date":"2026-04-16T10:12:19","date_gmt":"2026-04-16T10:12:19","guid":{"rendered":"https:\/\/certera.com\/blog\/?p=4622"},"modified":"2026-04-16T10:12:20","modified_gmt":"2026-04-16T10:12:20","slug":"digicert-g1-root-removal-2026-what-it-means-what-actions-to-do","status":"publish","type":"post","link":"https:\/\/certera.com\/blog\/digicert-g1-root-removal-2026-what-it-means-what-actions-to-do\/","title":{"rendered":"DigiCert G1 Root Removal 2026: What It Means, Risks & Action Plan for Your TLS Infrastructure"},"content":{"rendered":"\n

DigiCert G1 Retirement 2026: A Turning Point in Web PKI Evolution<\/h2>\n\n\n\n

Mozilla and Google Chrome will revoke the G1 root certificates of DigiCert<\/a> on April 15, 2026. When the certificate you are using TLS chains to one of those roots, the browsers immediately do not trust it. A security warning is shown to your users. Breaking your login flows. Your payment page is a wall.<\/p>\n\n\n\n

It is not a browser bug. Your infrastructure on the nose.<\/p>\n\n\n\n

How Can It Disrupt Your Secure Connections?<\/h2>\n\n\n\n

This is what is particularly dangerous: even with a certificate that is not expired, not revoked, not with any problems on paper, a warning about untrusted prompts as soon as this change comes into effect. Having an expiry date on your cert is irrelevant when the root that it chains to is no longer trusted.<\/p>\n\n\n\n

The majority of DigiCert customers were transferred to G2 hierarchies back in March 2023 and do not have to do anything. However, to the organisations that continue to use older chains, particularly within a legacy environment, custom trust stores, or non-standard deployments, this is a very real, business-affecting risk.<\/p>\n\n\n\n

Important Dates, Changes, and Actions<\/h2>\n\n\n\n
Deadline<\/strong><\/td>What changes<\/strong><\/td>Who’s affected<\/strong><\/td>Action<\/strong><\/td>Urgency<\/strong><\/td><\/tr>
Apr 15, 2026<\/strong><\/td>DigiCert G1 roots removed from Chrome & Mozilla trust stores  <\/td>Anyone with active TLS certs still chaining to G1 roots  <\/td>Reissue into G2 or G3 before this date  <\/td>Critical  <\/td><\/tr>
May 15, 2026<\/strong><\/td>
G2\/G3 intermediate CA certs and two G5 cross-signed roots revoked  <\/td>		Orgs with S\/MIME, Code Signing, or cross-signed chain dependencies  <\/td>Switch to new ICA certs, replace cross-signed roots in chain  <\/td>High  <\/td><\/tr>
Mar 1, 2027<\/strong><\/td>
Client Auth EKU removed from all public TLS certificates  <\/td>		Organizations using public certs for mTLS or server-to-server auth  <\/td>Migrate to X9 PKI for TLS or Private PKI  <\/td>Plan now  <\/td><\/tr>
Already done<\/strong><\/td>
Default issuance moved to G2 hierarchies (Mar 8, 2023)  <\/td>		Most standard DigiCert customers  <\/td>No action needed \u2014 next renewal auto-moves to G2\/G3  <\/td>Safe<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

This isn’t just One Change: It’s a Sequence<\/h2>\n\n\n\n

The most pressing one is the G1 removal, although it is a subset of a larger cleanup of the public WebPKI. The following is the entire schedule:<\/p>\n\n\n\n

G1 Root Removal of Chrome and Mozilla<\/h3>\n\n\n\n

Three particular roots are pulled: DigiCert Global Root CA, DigiCert Assured ID Root CA and DigiCert High Assurance EV Root CA.<\/strong> <\/p>\n\n\n\n

Any active TLS certificates<\/a> that exclusively chain to these roots instantly lose their trust with Chrome and Firefox. No difference in certificates on G2 or G3 hierarchies.<\/p>\n\n\n\n

The G2\/G3 intermediates and cross-signed certificates can be revoked<\/h3>\n\n\n\n

DigiCert withdraws many G2 and G3 intermediate CA certificates to provide non-TLS products such as S\/MIME<\/a> and Code Signing<\/a>, and two G5 cross-sign root certificates. <\/p>\n\n\n\n

In case your chain of certificates relies upon any of these, validation is lost. This one traps those organisations that assumed that the G1 change was not relevant to them.<\/p>\n\n\n\n

Client Authentication EKU has been deleted from the public TLS certificates<\/h3>\n\n\n\n

DigiCert eliminates the clientAuth extended key usage<\/a> on all public TLS certs of all brands: DigiCert, GeoTrust, Thawte, RapidSSL, and Encryption Everywhere. <\/p>\n\n\n\n

In case your organisation relies on public certificates to make mutual TLS<\/a> or server-server authentication, you should have a migration plan long before this date.<\/p>\n\n\n\n

Who’s actually at Risk?<\/h2>\n\n\n\n

This is where most organisations get blindsided. They check their primary domain, see it’s fine, and close the ticket. Then something breaks in a partner integration at 2 am on a Tuesday.<\/p>\n\n\n\n

You’re exposed if any of these describe your environment:<\/strong><\/p>\n\n\n\n