20230117 - End of use of DigiCert G1 intermediate and root certificates
As of March 8, 2023 all SSL certificates issued by the DigiCert Group (DigiCert, Thawte, Geotrust, RapidSSL) will be using second-generation (G2) hierarchies.
The use of G5 chains has been postponed.
Why?
This decision is a direct consequence of the new Mozilla roots management policy that stipulates a maximum period for the use of root certificates.
As of 2025, Mozilla will begin distrusting older root certificates including DigiCert ones.
The final entity certificates issued on those hierarchies won't be recognized on Mozilla tools anymore.
What consequence for your certificates?
For currently valid certificates: none.
For the certificates issued after March 8, 2023: even if the G2 hierarchies are widely distributed, there might be an impact on their recognition.
You may encounter issues as well if you hard-coded the acceptance of ICA/Root certificates or operate a trust store.
In those cases you'll have to update your environment before March 8, 2023.
Alternative solutions
It will remain possible to obtain certificates issued on the G1 hierarchies for a few months by selecting the SHA1 hierarchy on the order forms.
It will also be possible to use a G5 hierarchy right away (G5 chains will eventually replace the G2 ones). Such requests will have to be submitted beforehand to our customer service and will be handled on a case-by-case basis.
The new roots
The following table indicates the G2 certificates that will replace the one currently used by your certificates: