DigiCert Global Root G1 Trust Chain Retirement
Published: December 11, 2025
DigiCert is retiring the DigiCert Global Root G1 trust chain by April 2026. Illumio SaaS certificates currently rely on this chain so Illumio will transition to newer DigiCert roots to ensure continued security and compatibility across supported platforms.
Illumio SaaS will adopt the following new root certificate chains:
DigiCert Global Root G2 (RSA)
DigiCert Global Root G3 (ECC)
These will replace the existing DigiCert Global Root CA (G1) used today. This document explains what this means, how to prepare your environment, and how to makesure uninterrupted VEN connectivity during the transition window.
For more information, see the DigiCert website.
What is changing?
Industry-wide, certificate authorities are reducing the trust lifetimes of root certificates. DigiCert has announced the retirement of the G1 trust chain, after which browsers and operating systems will begin distrusting it.
Illumio SaaS certificates must be reissued under new chains. The selected replacements, G2 and G3, offer the broadest compatibility with existing customer operating systems and VEN versions.
Transitioning to these new roots ensures:
Continued trust by browsers, OS vendors, and TLS libraries
Ongoing support for legacy and current operating systems
Minimal disruption for customer workloads
Who is impacted?
Most customers will not need to take action. Your operating systems already trust DigiCert’s G2 and G3 roots.
Action Required in Specific Cases
You may need to take action in these cases:
You pin the DigiCert G1 in your environment.
You maintain custom trust bundles.
Your workloads run in restricted or offline environments.
OS root stores are not automatically updated.
You deploy Windows systems that block access to Windows update.
You deploy an OS that no longer receives updates for CA bundles.
In these scenarios, connecting VENs may fail TLS validation unless the G2 and G3 root certificates are present.
Transition Timeline
Illumio SaaS will begin transitioning certificates to the new DigiCert Global Root G2 and G3 chains between March and April of 2026.
A detailed, cluster-by-cluster rollout schedule will be published as we approach this window.
Browser distrust of G1 starts on April 15, 2026.
Required Customer Actions
Make sure that the following DigiCert root certificates are trusted on all VEN-hosting systems:
DigiCert Global Root G2 (RSA)
DigiCert Global Root G3 (ECC)
These are typically preinstalled on modern OS platforms. Customers with manually managed trust stores must confirm their presence.
Update OS trust stores where needed.
This applies especially to:
Offline or hardened Windows systems
Linux systems using static CA bundles
Legacy platforms such as Solaris and AIX
Custom security baselines where roots are managed centrally
Update any custom or pinned CA bundles.
If your environment uses a custom CA file, you must add G2 and G3 before Illumio SaaS transitions to the new chains.
Restart all VENs after the trust store updates happen.
VENs load root certificates only at service startup. If the VEN is not restarted after the trust store is updated, it may fail to trust the new SaaS certificate chain.
A restart is required on all supported OS platforms after a trust store update.
Validate connectivity after the updates are complete.
Validate that workloads can maintain VEN connectivity to the PCE before the cutover window.
FAQs
Why is Illumio making this change?
DigiCert is deprecating the DigiCert Global Root G1 chain. Major operating systems, browsers, and security providers will soon distrust G1. Moving to DigiCert Global Root G2 and G3 ensures continued trust and compatibility for all Illumio SaaS deployments.
Will the Illumio VENs stop working?
For most customers, this transition will be transparent. The VEN trusts the TLS certificate chain provided by the underlying OS (unless you override this behavior with a custom trust bundle).
VEN connectivity issues may arise only if:
You explicitly pin or restrict the trust store to the G1 root, OR
Your system is configured to trust a custom CA bundle that excludes G2/G3, OR
You deploy Illumio VENs in hardened or minimal environments that do not include recent DigiCert root certificates.
You deploy Windows systems that block access to Windows Update on the web
You deploy an OS that no longer receives updates for CA bundles.
If your workloads use standard OS trust stores and receive regular updates, no action is required.
If you update the OS trust store, the VEN must be restarted so it can reload the new CA list. Environments without OS updates (locked-down Windows, legacy Linux, AIX/Solaris systems, or STIG-restricted images) may require manual installation of the new root certificates.
Does this affect console login or API integrations?
Only if your tooling pins the old G1 chain. Browsers and API clients that rely on default OS trust stores will continue to work as expected.
Do I need to reinstall or update the VENs?
No. After updating the operating system’s trusted root store, you must restart the VEN to load the updated CA bundle. The VEN loads the root CA list only at service startup. Without a restart, it will continue to use the old trust list. This applies to most platforms including Windows, Linux, macOS, AIX, and Solaris.
How do I verify if my systems already trust the DigiCert Global Root G2 and G3 certificates?
You can confirm whether your OS trust store includes the DigiCert Global Root G2 and Global Root G3 certificates by running the following curl commands from any server or endpoint where the VEN is installed:
# Test trust for DigiCert Global Root G2 curl https://global-root-g2.chain-demos.digicert.com
# Test trust for DigiCert Global Root G3 curl https://global-root-g3.chain-demos.digicert.com
If each command returns a successful HTTP response, it indicates that the system’s OS trust store already contains (and trusts) the respective DigiCert root certificate. If the request fails with a certificate verification error, that root may be missing or restricted by your trust store configuration.
Will this cause downtime?
Downtime is not expected to exceed the normal maintenance window required to update the certificate chain in Illumio SaaS. VENs and browser access automatically use the new certificate chain once it becomes active.
What if I run an OS version that is out-of-support or never received the G2 root?
In uncommon scenarios (older AIX/Solaris, custom Linux images, or locked-down STIG environments), you may need to manually add the G2 root to your custom trust bundle.
When will the transition happen?
Browsers will start distrusting the G1 certificate chain beginning April 15, 2026. The exact cutover window for Illumio SaaS will be published in this <Knowledge Base> article as we approach the transition window.
Where can I obtain the DigiCert Global Root certificates?
You can download it from DigiCert’s official repository.
Why is Illumio switching to both DigiCert Global Root G2 (RSA) and DigiCert Global Root G3 (ECC)?
Illumio signs SaaS certificates using both RSA and ECC algorithms to support the widest range of client platforms.
RSA certificates will chain to DigiCert Global Root G2
ECC certificates will chain to DigiCert Global Root G3
Using these two roots ensures maximum compatibility with existing VEN versions and OS platforms.
Why is Illumio moving to DigiCert Global Root G2 (RSA) instead of the newer DigiCert Global Root G5 (RSA) which has a longer trust window?
While G5 has a longer browser trust window, Illumio is adopting DigiCert Global Root G2 because it provides the safest, most compatible, and least disruptive path for all customers, while still meeting DigiCert’s requirements for G1 deprecation.
When will Illumio SaaS begin transitioning to certificates signed by the new DigiCert Global Root G2 and G3 chains?
Illumio will begin transitioning SaaS certificates to the DigiCert Global Root G2 (RSA) and DigiCert Global Root G3 (ECC) chains between March and April of 2026. A schedule for each SaaS environment (PCE clusters) will be published here as we get closer to the transition window.