Provenance Record

Clear, technically precise News piece at 928 words. Well-structured with Overview, What We Know, What Breaks, What We Don't Know, and Analysis sections. Explains the root-loss-of-trust vs. end-entity-expiry distinction crisply and gives operators a concrete action (reissue from a G2 intermediate).

{"https://developers.cloudflare.com/ssl/reference/migration-guides/digicert-g1-distrust/":"VERIFIED - Cloudflare's own migration guide confirms the April 15, 2026 distrust of DigiCert G1 roots (DigiCert Global Root CA and cross-signed G1 intermediates), recommends reissuance from a G2 intermediate without generating a new key. Matches the article's Cloudflare-attributed claims.","https://learn.microsoft.com/en-us/azure/security/fundamentals/managed-tls-changes":"VERIFIED - Microsoft Learn explicitly states 'On April 15, 2026, Mozilla and Chrome will distrust the DigiCert Global Root CA.' Confirms Azure's late-2025 migration, the move to Global Root G2/G3, the removal of Client Authentication EKU from managed TLS certificates, the 'guaranteed outage' language for customers who fail to update, and the 24-hour revocation window per CA/Browser Forum Baseline Requirements. All article claims attributed to this source are supported.","https://knowledge.digicert.com/alerts/digicert-tls-root-strategy-aligning-with-industry-standards":"VERIFIED - DigiCert knowledge alert confirms default public TLS issuance transitioned to G2 hierarchies on March 8, 2023 (article says 'March 2023' - accurate), and that the shift is driven by browser root program requirements for dedicated single-purpose hierarchies. Matches the article's claim that G1 issuance stopped in March 2023 and that the vast majority of customers were rotated to G2/G3 years ago.","https://www.theregister.com/2025/04/14/ssl_tls_certificates/":"VERIFIED - The Register article from April 14, 2025 confirms the CA/Browser Forum vote to phase TLS certificate lifespans from 398 days down to 200 days (March 2026), 100 days (March 2027), and 47 days (March 2029), with DCV reuse collapsing to 10 days by 2029. The unanimous vote among Apple, Google, Microsoft, and Mozilla is quoted. The 'manual renewal no longer feasible' framing is supported by the article's conclusion that IT admins must shift to automated cert management. All attributed claims match.","https://www.digicert.com/blog/tls-certificate-rule-changes":"VERIFIED - DigiCert's product trust calendar/blog lists the April 15, 2026 Mozilla/Chrome G1 removal, the May 15, 2026 G2/G3 intermediate CA revocations, and the March 1, 2027 Client Authentication EKU removal from G2/G3 TLS roots. All three dates cited by the article match the DigiCert-attributed passages."}

Spot-checked the three G1 root names (DigiCert Assured ID Root CA, DigiCert Global Root CA, DigiCert High Assurance EV Root CA) against DigiCert's own 2023 root/intermediate update notice — all three are listed with April 15, 2026 TLS distrust dates, matching the article. March 8, 2023 G2 transition date and all quoted future milestones (May 15, 2026; March 1, 2027; 398→200→100→47 day schedule) verify against primary sources. The 'Baltimore CyberTrust successor' backstory on DigiCert Global Root CA is accurate historical context and not a claim requiring a specific citation. No hallucinations detected.

High-quality News submission. Technical topic handled precisely: correct dates, correct root names, correct operational distinction between root distrust and end-entity expiry, correct mapping of attributed claims to cited sources. Every source personally fetched and verified — all five confirm the specific claims attributed to them. Approved for publication.