DigiCert Global Root G1 Trust Chain Retirement
Document Updated:
March 4, 2026
January 30, 2026
Document First Published: December 11, 2025
DigiCert is retiring the DigiCert Global Root G1 trust chain by April 2026. Illumio SaaS certificates currently rely on this chain so Illumio will transition to newer DigiCert roots to ensure continued security and compatibility across supported platforms.
Illumio SaaS will adopt the following new root certificate chains:
DigiCert Global Root G2 (RSA)
DigiCert Global Root G3 (ECC)
These will replace the existing DigiCert Global Root CA (G1) used today. This document explains what this means, how to prepare your environment, and how to makesure uninterrupted VEN connectivity during the transition window.
For more information, see the DigiCert website.
What is changing?
Industry-wide, certificate authorities are reducing the trust lifetimes of root certificates. DigiCert has announced the retirement of the G1 trust chain, after which browsers and operating systems will begin distrusting it.
Illumio SaaS certificates must be reissued under new chains. The selected replacements, G2 and G3, offer the broadest compatibility with existing customer operating systems and VEN versions.
Transitioning to these new roots ensures:
Continued trust by browsers, OS vendors, and TLS libraries
Ongoing support for legacy and current operating systems
Minimal disruption for customer workloads
Who is impacted?
Most customers will not need to take action. Your operating systems already trust DigiCert’s G2 and G3 roots.
Action Required in Specific Cases
You may need to take action in these cases:
You pin the DigiCert G1 in your environment.
You maintain custom trust bundles.
Your workloads run in restricted or offline environments.
OS root stores are not automatically updated.
You deploy Windows systems that block access to Windows update.
You deploy an OS that no longer receives updates for CA bundles.
In these scenarios, connecting VENs may fail TLS validation unless the G2 and G3 root certificates are present.
Transition Timeline
Illumio SaaS will start transitioning certificates to the new DigiCert Global Root G2 and G3 chains between March and April 2026.
Clusters will be updated starting March 13, 2026. Illumio customers are advised to take any required actions in advance of that date.
Important
Browser distrust of G1 starts on April 15, 2026.
Operational Behavior During the Maintenance Window
To minimize operational disruption, Illumio will temporarily mark workloads as suspended in the PCE following the root CA update in Illumio SaaS. This state change is performed within the PCE only and is not communicated to VENs, which continue operating in enforcement mode without traffic interruptions.
Marking a workload as suspended in the PCE does not suspend the VEN or stop traffic. Instead, this state prevents workloads from being marked offline and written out of policy due to offline timers during the transition.
VENs will automatically return to an active state following their first heartbeat after the root certificate update. If the trust stores for a VEN are configured correctly, this can be expected to happen within the first several minutes after the root cert is updated.
After the root certificate replacement, any workloads that remain suspended must be investigated to determine why they are unable to communicate with the PCE. While these workloads will continue to enforce their last known policy, they will not be able to receive new or updated policy until connectivity is restored.
Required Customer Actions
Make sure that the following DigiCert root certificates are trusted on all VEN-hosting systems:
DigiCert Global Root G2 (RSA)
DigiCert Global Root G3 (ECC)
These are typically preinstalled on modern OS platforms. Customers with manually managed trust stores must confirm their presence.
Caution
Make sure that your systems have both these root certificates. It may not be sufficient to only have one of these roots present.
Update OS trust stores where needed.
This applies especially to:
Offline or hardened Windows systems
Linux systems using static CA bundles
Legacy platforms such as Solaris and AIX
Custom security baselines where roots are managed centrally
Update any custom or pinned CA bundles.
If your environment uses a custom CA file, you must add G2 and G3 before Illumio SaaS transitions to the new chains.
Restart all VENs after the trust store updates happen.
VENs load root certificates only at service startup. If the VEN is not restarted after the trust store is updated, it may fail to trust the new SaaS certificate chain.
If you update your OS trust store, custom trust bundle, or pinned certificate configuration to include the new DigiCert roots, you must restart the VEN so it loads the updated trust bundle.
Without a restart, the VEN may continue using the previous trust configuration and fail to trust the updated SaaS certificate chain.
A restart is required on all supported OS platforms after a trust store update.
Validate connectivity after the updates are complete.
Validate that workloads can maintain VEN connectivity to the PCE before the cutover window.
Frequently Asked Questions (FAQs)
Review these FAQs to make sure you understand the impact of these updates.
Why is Illumio making this change?
DigiCert is deprecating the DigiCert Global Root G1 chain. Major operating systems, browsers, and security providers will soon distrust G1. Moving to DigiCert Global Root G2 and G3 ensures continued trust and compatibility for all Illumio SaaS deployments.
Will the Illumio VENs stop working?
For most customers, this transition will be transparent. The VEN trusts the TLS certificate chain provided by the underlying OS (unless you override this behavior with a custom trust bundle).
VEN connectivity issues may arise only if:
You explicitly pin or restrict the trust store to the G1 root, OR
Your system is configured to trust a custom CA bundle that excludes G2/G3, OR
You deploy Illumio VENs in hardened or minimal environments that do not include recent DigiCert root certificates.
You deploy Windows systems that block access to Windows Update on the web
You deploy an OS that no longer receives updates for CA bundles.
If your workloads use standard OS trust stores and receive regular updates, no action is required.
If you update the OS trust store, custom trust bundle, or certificate pinning configuration, the VEN must be restarted so it can reload the updated trust bundle. Environments without OS updates (locked-down Windows, legacy Linux, AIX/Solaris systems, or STIG-restricted images) may require manual installation of the new root certificates.
Does this affect console login or API integrations?
Only if your tooling pins the old G1 chain. Browsers and API clients that rely on default OS trust stores will continue to work as expected.
Do I need to reinstall or update the VENs?
No. If you update the operating system trust store, custom trust bundle, or certificate pinning configuration, you must restart the VEN so that it loads the updated trust bundle. Without a restart, it will continue to use the old trust list. This applies to VENs on most platforms including Windows, Linux, macOS, AIX, and Solaris.
How do I verify if my systems already trust the DigiCert Global Root G2 and G3 certificates?
You can inspect your system trust store using these platform-specific commands:
Windows (PowerShell):
Get-ChildItem cert:\LocalMachine\RootmacOS:
security find-certificate -a -p /Library/Keychains/System.keychain > /tmp/system.pem openssl storeutl -noout -text /tmp/system.pemLinux (Red Hat 9):
openssl storeutl -noout -text /etc/pki/tls/certs/ca-bundle.crtVerify that both “DigiCert Global Root G2” and “DigiCert Global Root G3” are present.
Alternatively, you can confirm whether your OS trust store includes the DigiCert Global Root G2 and Global Root G3 certificates by following these steps:
Check if your OS trusts the new root certificates Run these from any VEN-hosting system.
# Test trust for DigiCert Global Root G2 curl https://global-root-g2.chain-demos.digicert.com
# Test trust for DigiCert Global Root G3 curl https://global-root-g3.chain-demos.digicert.com
If each command returns a successful HTTP response, it indicates that the system’s OS trust store already contains (and trusts) the respective DigiCert root certificate. If the request fails with a certificate verification error, that root may be missing or restricted by your trust store configuration.
Important
This test only tells you whether the OS itself trusts G2/G3. It does not tell you whether the VEN has loaded those certificates.
Take action based on the results. If either test fails:
Update the OS trust store to include both DigiCert Global Root G2 (RSA) and DigiCert Global Root G3 (ECC).
Update any custom or pinned CA bundles to include G2 and G3.
Restart VEN on that system (VENs load root certs only at startup).
If both tests pass, you must verify that the VEN was started (or restarted) after the root certificates were added to the OS trust store.
If the VEN has been running since before the trust store was updated, it may still be using the old cert list and won't trust the new chain. If VEN uptime predates the trust store update, restart the VEN.
Confirm that the new root certs are available to all VENs before the cutover window begins on March 13, 2026.
Will this cause downtime in Illumio SaaS?
SaaS downtime is not expected to exceed the normal maintenance window required to update the certificate chain in Illumio SaaS. VENs and browser access automatically use the new certificate chain once it becomes active.
What if I run an OS version that is out-of-support or never received the G2 root?
In uncommon scenarios (older AIX/Solaris, custom Linux images, or locked-down STIG environments), you may need to manually add the G2 root to your custom trust bundle.
When will the transition happen?
Browsers will start distrusting the G1 certificate chain beginning April 15, 2026.
Note
Illumio will start to transition SaaS certificates to the DigiCert Global Root G2 (RSA) and DigiCert Global Root G3 (ECC) chains between March and April 2026.
Where can I obtain the DigiCert Global Root certificates?
Where can I obtain the DigiCert Global Root certificates?
Why is Illumio switching to both DigiCert Global Root G2 (RSA) and DigiCert Global Root G3 (ECC)?
Illumio signs SaaS certificates using both RSA and ECC algorithms to support the widest range of client platforms.
RSA certificates will chain to DigiCert Global Root G2
ECC certificates will chain to DigiCert Global Root G3
Using these two roots ensures maximum compatibility with existing VEN versions and OS platforms.
Why is Illumio moving to DigiCert Global Root G2 (RSA) instead of the newer DigiCert Global Root G5 (RSA) which has a longer trust window?
While G5 has a longer browser trust window, Illumio is adopting DigiCert Global Root G2 because it provides the safest, most compatible, and least disruptive path for all customers, while still meeting DigiCert’s requirements for G1 deprecation.
When will Illumio SaaS begin transitioning to certificates signed by the new DigiCert Global Root G2 and G3 chains?
Illumio will begin transitioning SaaS certificates to the DigiCert Global Root G2 (RSA) and DigiCert Global Root G3 (ECC) chains between March and April 2026.