IMPORTANT UPDATE

Dear Clients

On March 8, 2023, we will begin updating the default public issuance of all TLS/SSL certificate brands to second-generation (G2) root hierarchies.

Note: This is a change from a previous email we sent in September, which said we would be moving default TLS/SSL issuance to fifth-generation (G5) root hierarchies.

WHY ARE WE NOW MOVING TLS/SSL ISSUANCE TO G2 ROOTS INSTEAD OF G5 ROOTS?

We have postponed the move to G5 root and ICA hierarchies based on Mozilla’s latest proposed policy changes, and to provide more time to ensure G5 root ubiquity.

In 2025, Mozilla will begin deprecating older root certificates within its Firefox browser, including some DigiCert roots. On March 8, 2023, DigiCert will stop issuing TLS/SSL certificates from these older hierarchies and start issuing them from our G2 hierarchies to ensure your certificates remain trusted in Firefox.

Mozilla’s deprecation plan applies to all public root certificates. The following chart shows how the plan applies to root certificates owned specifically by DigiCert:

WHAT DO I NEED TO DO?

No action is required unless you do any of the following:

·     Pin root or ICA certificates

·     Hard-code the acceptance of root or ICA certificates

·     Operate a trust store

If you do any of the above, we recommend:

·     Updating your environment before March 8, 2023

·     Stop pinning or hard-coding certificate acceptance.

·     Distribute DigiCert G2 roots to the local trust stores to ensure TLS/SSL certificates that chain up to the G2 root certificates are trusted.

Use this chart to identify the current and new ICA and root certificates for each TLS/SSL certificate brand:

DON'T WANT TO STOP PINNING OR HARD-CODING?

We do not recommend pinning as the practice is considered a barrier to good security upkeep. If you want to continue pinning or hard-coding, we recommend moving straight to DigiCert’s new fifth-generation (G5) root and ICA certificate hierarchies for public TLS/SSL issuance. This will require installing a cross-signed root but you will only have to prepare your environment once.

To learn more about G5 roots and why they are the best option for long-term public TLS/SSL issuance, see our knowledgebase article, DigiCert G5 Root and Intermediate CA Certificate Update.

WHAT IF I NEED MORE TIME?

If you need more time to prepare your environment for the G2 update, you can continue issuing from your current root and ICA certificates after we make the G2 root hierarchies the default for public TLS/SSL certificate issuance on March 8, 2023. Contact DigiCert Support and they can set up your account to continue issuing from your current root and ICA certificates.

When deciding how long to stay on your current root, make sure you understand and accept the risks of staying on an older root hierarchy past March 8, 2023: .000

·     Mozilla’s root deprecation plan includes active ICAs and TLS/SSL certificates that chain to the deprecated roots.

·     TLS/SSL certificates that expire after their root certificate’s deprecation date will need to be reissued from G2 or newer root hierarchies to remain trusted.

MORE RESOURCES

Bookmark our knowledgebase article, DigiCert root and intermediate CA certificate updates 2023, for the most up-to-date information about the move to G2 roots.

Visit the DigiCert Trusted Root Authority Certificates page to download copies of DigiCert ICA and root certificates.

For more information about certificate chains and how they work, see How Certificate Chains Work.

If you have additional questions or concerns, please contact DigiCert Support.

Thank you,
DigiCert Team