DigiCert G2, G3 & G5 Root Certificate Changes May 2026: Act Immediately

Key Take Aways

DigiCert will be revoking multiple G2, G3 and G5 intermediate CA certificates and switching to TLS-only hierarchy from the original multipurpose root hierarchy as part of major revisions to its public certificate infrastructure as mandated by new requirements under the Google Chrome Root Program that took effect in 2026.

If your organization uses any DigiCert SSL/TLS Certificates, S/MIME certificates or Code Signing Certificates, these changes could potentially have an effect on your certificate’s trust chains and their compatibility with applications.

This guide outlines the details of what changes are happening, why they are important, which types of certificates will be affected, and how organisations can prepare for these changes ahead of the deadline of May 15, 2026.

Why DigiCert Is Transitioning G2, G3 and G5 Root Hierarchies

Google Chrome’s Root Program now requires Certificate Authorities (CAs) to separate certificate use cases into dedicated root hierarchies.

Previously, many root certificates supported multiple purposes, including:

• TLS/SSL certificates
• S/MIME certificates
• Code signing certificates
• Client authentication

Google now requires Stricter Separation to Improve:

• PKI security
• Trust hierarchy clarity
• Certificate governance
• Browser trust consistency

To comply, DigiCert is transitioning:

• DigiCert Global Root G2
• DigiCert Global Root G3
• DigiCert Global Root G5

into dedicated single-purpose TLS hierarchies.

To keep up with browser security and state-of-the-art public PKI standards, DigiCert is now modernizing its infrastructure. Originally set to take place on December 31, 2022, the transition to the new DigiCert services will occur at a later date as announced, but will likely complete by May 16, 2026.

Also Important: DigiCert G1 Root Removal: What You Must Do Before April 2026

What Happens on May 15, 2026?

• Intermediate CA (ICA) Certificates
• Cross-Signed Root Certificates

While you will not see end entity certificate revocations immediately, certificates chained from revoked ICA certificates could stop working correctly.

This could result in:

• Browser “not secure” warnings
• Invalid certificate errors
• Failed HTTPS connections
• Broken Code Signing Trust
• S/MIME Validation Issues

To prevent interruptions in service, organizations must replace any affected certificate chains before the revocations become effective.

Why Intermediate CA Revocation Matters

The SSL/TLS certificates are dependent on the existence of a continued valid trust chain.

A certificate chain typically consists of the following components:

• End-entity Certificate
• Intermediate CA Certificate
• Root Certificate

If the Intermediate CA certificate is revoked, browsers and applications may stop trusting any certificates that were issued out of that hierarchy.

A good example of this is that the Web Certificate could still technically be active, however, the browser may block access to that site due to the revocation of the ICA.

Because of this, DigiCert recommends that you immediately reissue the affected certificates. This change is needed to keep DigiCert in line with changing security in the browsers and Public PKI standards.

TLS Certificates Affected by the Change

The following intermediate CA certificate for public TLS issuance will be revoked:

Current ICA Certificate	Replacement ICA Certificate
DigiCert Global CA G2	DigiCert Global G2 TLS RSA SHA256 2020 CA1

Organizations Currently using Certificates chained to DigiCert Global CA G2 should:

• Reissue affected TLS certificates
• Replace certificate bundles
• Update server trust chains
• Deploy replacement ICA certificates before May 15, 2026

Failure to update may cause browser trust failures.

Important: Sectigo Public Root CA Migration: What SSL Users Must Know

S/MIME Certificates Also Require Action

DigiCert is also revoking the following S/MIME ICA certificate:

Current ICA Certificate	Replacement ICA Certificate
DigiCert G2 SMIME RSA4096 SHA384 2024 CA1	DigiCert Assured ID SMIME RSA2048 SHA256 2021 CA1

Organizations using affected S/MIME certificates should:

• Reissue certificates from the replacement ICA
• Update mail server configurations
• Replace outdated certificate chains

This helps ensure continued email signing and encryption trust.

Code Signing Certificates Need Immediate Review

Several DigiCert G3 code signing ICA certificates will also be revoked.

This Impacts Organizations using:

• Software signing certificates
• Application signing workflows
• Java code signing environments

Affected Businesses should:

• Reissue code signing certificates
• Resign unsigned software files
• Verify timestamping configurations

Why Timestamping Is Critically Important

Timestamping ensures signed software remains trusted even after a certificate or intermediate CA is revoked.

Without Timestamping:

• Signed applications may become invalid instantly
• Operating systems may block installations
• Security warnings may appear during execution

Java applications are especially sensitive because Java validates current certificate status rather than revocation timing.

This means Java-signed applications may fail immediately once the ICA certificate is revoked. Organizations should review all signed binaries before the deadline.

DigiCert G5 Cross-Signed Root Changes

DigiCert will also revoke two older G5 cross-signed root certificates.

This Primarily Affects:

• Legacy operating systems
• Older trust stores
• Custom certificate chains
• Compatibility-focused deployments

Although end-entity certificates can last indefinitely, trust paths can break if outdated cross-signed roots aren’t updated. If your organization has older cross-signed root certificates, they need to be replaced with the new versions from DigiCert.

Why Cross-Signed Roots Matter

Cross-signed roots are important because they allow newer certificate hierarchies to be trusted by older devices and operating systems.

For example, older devices may not be able to directly trust the new DigiCert G5 root certificates. Cross-signed roots provide a bridge of compatibility between older trust stores and new PKI hierarchies.

If outdated cross-signed roots were to remain installed after they have been revoked, several issues will arise including:

• Inability to validate certificates
• Inability of older devices to establish HTTPS connections
• Loss of trust compatibility for applications

This is particularly crucial for companies supporting legacy environments.

What Organizations Must Do Before May 15, 2026

Audit Existing Certificates

Identify:

• TLS certificates
• S/MIME certificates
• Code signing certificates
• Legacy trust chain dependencies

Reissue Affected Certificates

Replace certificates issued from revoked ICA certificates using DigiCert’s updated hierarchy.

Replace Intermediate Certificates

Install updated:

• ICA certificates
• Cross-signed roots
• Complete trust chains

across all environments.

Verify Code Signing Timestamping

Ensure all signed applications use trusted timestamping services.

Test Legacy Compatibility

Validate updated trust chains on:

• Older operating systems
• Java environments
• Legacy browsers
• Embedded devices

Conclusion

Organizations need to keep track of CA infrastructure updates, new browser root program requirements, and changing PKI standards as certificate ecosystems develop.

Proactively reviewing certificate chains for outdated roots along with automated certificate lifecycle management will help mitigate trust failures, compatibility issues and unplanned downtime while providing lasting security, compliance and uninterrupted digital operations.

Search