Chrome and Firefox Retire DigiCert's G1 Root Certificates, Closing the Book on a Two-Decade-Old WebPKI Anchor

Overview

Mozilla and Google completed the removal of DigiCert’s first-generation root certificates from the trust stores of Firefox and Chrome on April 15, 2026, retiring a set of certificate authorities that have underpinned WebPKI since the mid-2000s. According to DigiCert’s product trust calendar, the enforcement date marks the end of Chrome and Mozilla trust for the company’s public G1 root hierarchy. TLS certificates that still chain exclusively to those roots will be rejected by modern browsers from that date forward.

The change affects three long-lived roots: the DigiCert Assured ID Root CA, the DigiCert Global Root CA, and the DigiCert High Assurance EV Root CA. Microsoft confirmed the April 15, 2026 distrust date in its Azure managed TLS guidance, which explains that Azure has been migrating customer certificates off the legacy hierarchy since late 2025 to avoid outages.

What We Know

DigiCert stopped issuing new public TLS certificates from the G1 hierarchy in March 2023, moving default issuance to its second-generation G2 and G3 roots, as described in DigiCert’s root strategy alert. The long runway means most production certificates were rotated to G2 or G3 chains years ago, and the vast majority of DigiCert customers did not need to take action for this milestone.

The risk sits with deployments that still terminate at a G1 root, whether through manually pinned certificate chains, outdated CA bundles, custom trust stores, or embedded devices with hardcoded roots. Cloudflare’s migration guide for the DigiCert legacy root distrust notes that the issue is not the expiry date on end-entity certificates but the loss-of-trust date on the root: a technically valid certificate can become untrusted overnight if its chain terminates at a removed root. Cloudflare’s guidance recommends reissuing affected certificates from a G2 intermediate, a standard reissuance that does not typically require a new key.

The distrust sits inside a broader shift in how browsers manage public trust. According to Microsoft’s managed TLS change notice, the transition to G2 and G3 roots also strips the Client Authentication Extended Key Usage from public TLS certificates, a separate requirement from the Chrome Trusted Root Program that restricts public certificates to server authentication.

The G1 removal lands on the same month the broader CA/Browser Forum timeline for shorter certificate lifetimes takes effect. As The Register reported, the forum voted in April 2025 to phase TLS certificate lifespans down from today’s 398 days to 200 days starting March 2026, 100 days in March 2027, and 47 days by March 2029, with domain control validation reuse collapsing to 10 days at the end of that schedule. The vote passed unanimously among the four major browser root programs — Apple, Google, Microsoft, and Mozilla.

What Breaks

The organizations most at risk are those running legacy appliances, VPN concentrators, mail gateways, load balancers, and IoT deployments whose trust stores rarely receive updates. DigiCert’s own rule-change timeline notes that a further round of G2 and G3 intermediate CA revocations is scheduled for May 15, 2026, followed by the removal of the Client Authentication EKU from G2 and G3 TLS roots on March 1, 2027. Certificate owners relying on intermediate chains rather than root rotations will need a second pass of reissuance next month.

For end users, the visible symptom of a missed migration is a hard browser error rather than a warning banner — Chrome and Firefox refuse the connection entirely when a chain terminates at a removed root. Some enterprise platforms have warned of cascading failures: Microsoft’s guidance states that customers who did not update their Azure managed TLS configurations before the certificate expiration cycle are guaranteed to experience an outage, with earlier disruption possible if a certificate is revoked and must be replaced within the 24-hour window mandated by the CA/Browser Forum Baseline Requirements.

What We Don’t Know

The public data on residual G1 usage is thin. Neither DigiCert nor the browser vendors have published a count of end-entity certificates still chaining exclusively to the retired roots as of the removal date, so the scale of outages will only become clear as affected services fail over the coming weeks. Devices that do not receive trust-store updates — industrial controllers, older Android handsets, embedded automotive systems — may continue to trust the G1 roots indefinitely, creating an asymmetry in which some clients accept a certificate that modern desktop browsers reject.

It is also unclear how quickly other browser vendors will follow. Mozilla and Chrome are the two trust programs DigiCert has publicly aligned its April 15 milestone to; Apple’s and Microsoft’s operating system trust stores follow their own timelines, though Microsoft has been migrating its Azure managed TLS customers in anticipation of the same industry requirements.

Analysis

The G1 retirement is a reminder that the WebPKI’s trust anchors have finite lifetimes even when their keys remain mathematically sound. The DigiCert Global Root CA, originally operated by Baltimore CyberTrust’s successor hierarchies, has signed certificates across two decades of the commercial web. Its removal is driven less by cryptographic weakness than by the industry’s push toward dedicated single-purpose TLS roots, shorter certificate lifetimes, and tighter Chrome Root Program requirements that the older hierarchies were never structured to satisfy.

For operators, the practical takeaway is that the certificate-management discipline now required to keep a service online — inventory of chains, automation of renewals, readiness to reissue on short notice — is converging on what The Register described as a regime where manual renewal is no longer feasible. The G1 distrust is the first of several root-level transitions this year, with the May 15 intermediate revocations next on DigiCert’s calendar.