New root and ICA certificates from March 2023

(28.11.2022) From 8th March next year, DigiCert CA will start issuing TLS/SSL certificates using the new root and intermediate (ICA) CA certificates of the second generation (G2).

Why is DigiCert changing its root and ICA certificates?

The change was initiated by Mozilla to replace the existing root and intermediate certificates due to their age. At the same time, the browser wants to limit the validity of the new root and ICA certificates to 10 years and thus increase their agility, so that they operate on the market for a shorter period of time and change more often. But the reason is also the future need to get closer to cryptography that can withstand quantum computers.

DigiCert therefore only responds to the new certificate issuing conditions. However, DigiCert had to postpone the previously planned transition to fifth generation (G5) root and ICA certificates for this reason.

What needs to be done?

No action is required on your part.

From 8th March 2023, DigiCert will start issuing new TLS/SSL certificates in the new hierarchy by default. However, existing TLS/SSLs will remain trusted until they expire.

However, we strongly advise against pinning the publisher for review in your apps, as the publisher changes at various intervals and will certainly continue to change in the future. Even G2 certificates will not be valid longer than until 2029.

Source: DigiCert official statement