DigiCert G1 Root Retirement and Browsers’ Trust Changes in 2026

Impact on Certificate Chains and Reissuance

A typical SSL/TLS chain includes your website’s certificate, one or more intermediate certificates, and a root certificate trusted by operating systems and browsers. Modern deployments should already use SHA‑256 (SHA‑2) chains that terminate at up‑to‑date, SHA‑256‑signed roots, such as DigiCert Global Root G2, which remain trusted after 2026.

DigiCert‑issued certificates default to the SHA-2 root; however, DigiCert supports flexible certificate reissuance with different chain options, historically including chains that could terminate at DigiCert G1 roots to support very old clients. Going forward, any such G1‑based configuration must be considered temporary, and all public‑facing services should be reissued and redeployed with chains that end at DigiCert G2 or newer roots before April 15, 2026.

If you buy a 3‑year certificate before April 15th, 2026, and reissue it with a chain that ends at a DigiCert G1 root, browsers that follow the Mozilla/Chrome policies will still stop trusting it once the G1 root hits its April 2026 distrust date. In practice, the chain’s usable life in modern browsers is shortened to that date, regardless of the certificate’s printed validity.

Recommended Actions Before April 2026

To avoid outages around April 2026, it is necessary for all administrators to:

• Inventory all active certificates and identify deployments where the chain still ends at a DigiCert G1 root.
• Reissue or repurchase certificates so that all public‑trust services use chains that end at DigiCert G2 or newer SHA‑256‑signed roots, then update configurations on all servers and devices.
• Prefer SHA‑256/SHA‑2 chains for all new orders and plan for possible early renewals where legacy chains are still in use.

Environments that cannot be migrated in time (for example, very old internal systems) should be isolated or moved to private PKI or custom trust anchors, because public browsers will no longer trust DigiCert G1 roots for TLS after the distrust date.

Industry Context: Root Lifecycles and Browser Policies

The April 2026 event is specific to DigiCert’s G1 public TLS roots, but other CAs are going through similar root‑retirement cycles driven by the same browser policies. Mozilla and Chrome now cap how long a public TLS root can remain trusted (about 15 years for website use), and CAs are introducing new single‑purpose, SHA‑256‑signed roots while phasing out older ones.

For instance, Sectigo has already completed its full transition from legacy COMODO and USERTrust roots to the newer "Sectigo Public Server Authentication" hierarchies. Sectigo‑issued certificates use fixed chain configurations that cannot be modified during reissue, and are issued with SHA‑2 roots by default. However, in January 2026, Sectigo completed its transition to new Public Root CAs, and all newly issued certificates are now anchored to the updated hierarchies. For details on what changed and how to ensure compatibility with legacy systems, see our Sectigo Public Root CAs Migration guide.

Other CAs are following the same path, and this is part of a broader, ongoing industry‑wide cleanup — browsers will continue to phase out trust in aging root hierarchies as standards evolve, and administrators should proactively move all public‑trust TLS deployments to the newest SHA‑256, single‑purpose chains offered by their chosen CA.