Download and install root certificates - Certificate Management Service

Most client environments—including modern browsers, Windows, macOS, iOS 12+, and Android 8+—come with root certificates from major CAs (such as DigiCert and GlobalSign) pre-installed and automatically updated. However, some environments require manual installation: if you see HTTPS connection failures or insecure warnings in mobile apps, Java clients, legacy operating systems, or IoT devices, a missing root certificate is likely the cause. This guide provides download links by CA brand and step-by-step installation instructions for operating systems, browsers, and Java.

When to install a root certificate manually

Manual installation is required in the following client environments:

Mobile applications: Apps with custom trust stores that don't sync with the system or browser's root certificate list.
Java clients: Applications that use an independent Java KeyStore (cacerts) and don't rely on the operating system's trust store.
Legacy operating systems or browsers: Older systems, such as Windows XP or Android 4.x, that lack pre-installed root certificates from newer CAs.
IoT devices and embedded systems: Resource-constrained devices that ship with a limited set of root certificates.
Corporate intranet environments: Systems using a private CA whose root certificate isn't included in public trust stores.
Compliance or security policies: Environments that require explicit control over the list of trusted CAs.

Important

For modern browsers (Chrome, Firefox, Safari, Edge) and operating systems (Windows 10/11, macOS, Android 8 or later, iOS 12 or later), root certificates from major international CAs such as DigiCert and GlobalSign are pre-installed and automatically updated. No manual action is required. For legacy systems such as Android 4.4.2, install the corresponding cross-root certificate manually to maintain a complete trust chain.

Download root certificates

If you're installing a root certificate from an internal enterprise CA, skip this section and go directly to Install root certificates.

Download the root certificate that matches the SSL certificate brand (for example, DigiCert or GeoTrust) and certificate type (DV/OV/EV) deployed on your server. For example, if your server uses a DigiCert OV SSL certificate, download the DigiCert OV root certificate.

Root certificate download links by brand

Certificate brand	Root certificate download
DigiCert	Note Starting December 1, 2024, SSL certificates of the DigiCert brands are issued from a new root and intermediate certificate chain. For more information, see Announcement on DigiCert Root Certificate Replacement. <br><br>DigiCert DV/OV root certificates<br>- Digicert_Global_Root_G2_DV_OV (New – Cross-root)<br>- DigiCert_Global_Root_G2_DV_OV (Old – Transitional)<br>- DigiCert_DV_OV_ROOT (Old)<br><br>DigiCert EV root certificate<br>- DigiCert_EV_ROOT
GeoTrust<br>Rapid<br>GlobalSign	- GlobalSign_DV_OV_ROOT<br>- GlobalSign R1-R3 Cross-root
Alibaba Cloud	Note Starting September 18, 2025, new SSL certificates from the Alibaba Cloud brand will be issued from a new root and intermediate certificate chain. For more information, see [Announcement] Alibaba Brand Certificate Root Update Announcement. TLS Root R46 Root Certificate GlobalSign Cross Certificate R3-R46 Alibaba Cloud GCC R46 AlphaSSL CA 2025
Alibaba Cloud	Note Starting September 18, 2025, Alibaba Cloud branded SSL certificates are issued using a new root and intermediate certificate. For more information, see [Announcement] Alibaba Brand Certificate Root Update Announcement. <br><br>- TLS Root R46 Root Certificate<br>- GlobalSign Cross Certificate R3-R46<br>- Alibaba Cloud GCC R46 AlphaSSL CA 2025

DigiCert root certificate compatibility

Use this table to identify which DigiCert root certificate to install based on your operating system or browser version.

Operating system or browser	DigiCert Global Root CA (old)	DigiCert Global Root G2 (old – transitional)	DigiCert Global Root G2 (new – cross-root)
Fingerprint	`a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c5436`	`df3c24f9bfd666761b268073fe06d1cc8d4f82a4`	`8bf7f178a745a11bac6ae5b586fc1838eadcb2cf`
Windows (internet)	Windows XP SP3+	—	—
Windows (internal network)	Windows 7+	Windows 8+	Windows 7+
macOS	Mac OS X 10.6+	Mac OS X 10.10+	Mac OS X 10.6+
iOS	iOS 4.0+	iOS 7.0+	iOS 4.0+
Firefox	Firefox 2+	Firefox 32+	Firefox 2+
NSS	NSS 3.11.8	NSS 3.16.3	NSS 3.11.8
Android	Android 1.1+	Android 5.0+	Android 1.1+
Chrome	Starting with Chrome 108, Chrome uses its own trust store. Earlier versions rely on the operating system's trust store.
Java	JRE 1.4.2_17+	JRE 1.8.0_131+	JRE 1.4.2_17+

Install root certificates

Install on an operating system

Windows

The following steps use Windows 10 as an example.

Open the Microsoft Management Console (MMC). Press Win+R to open the Run dialog box. Enter mmc and click OK.
Add the Certificates snap-in.
1. In the menu bar, choose File > Add/Remove Snap-in.
2. In the Add or Remove Snap-ins dialog box, select Certificates from the Available snap-ins list and click Add.
3. In the Certificates snap-in dialog box, select Computer account, then click Next.
4. In the Select Computer dialog box, select Local computer (the computer this console is running on) and click Finish.
Import the root certificate.
1. In the left navigation pane, expand Certificates (Local Computer).
2. Select the destination folder—for example, Enterprise Trust. Right-click the folder and choose All Tasks > Import. > Note: The available certificate stores are: > - Personal: Stores certificates for the current user or computer. > - Trusted Root Certification Authorities: Root certificates from CAs trusted by the operating system by default. > - Intermediate Certification Authorities: Intermediate certificates that link server certificates to a trusted root. > - Enterprise Trust: Certificates from an internal enterprise CA, trusted only within the organization's network.
3. Follow the on-screen instructions to complete the import.

macOS

The following steps use macOS 12.5.1 as an example.

Open Launchpad.
In the Launchpad search box, enter Keychain Access and click Keychain Access.
On the Keychain Access page, click the Certificates tab.
Drag the downloaded root certificate to an empty area on the Certificates tab. macOS automatically verifies the certificate.
Right-click the newly added certificate and click Get Info.
On the certificate information page, select Always Trust and click the icon.

Linux

Installation paths and commands vary by Linux distribution. The following sections cover CentOS/Red Hat and Ubuntu/Debian.

CentOS/Red Hat

Install the system CA certificates package.
```
sudo yum install ca-certificates
```
Copy the root certificate file to the system certificate directory.
```
/etc/pki/ca-trust/source/anchors/
```
Update the certificate trust store.
```
sudo update-ca-trust extract
```
The system regenerates the trust bundle at /etc/pki/tls/certs/ca-bundle.crt.
Verify the installation using OpenSSL.
```
openssl s_client -connect example.com:443 -CAfile /etc/pki/tls/certs/ca-bundle.crt
```
The output should include your certificate chain. A successful verification ends with Verify return code: 0 (ok).

Ubuntu/Debian

Install the system CA certificates package.
```
sudo apt install ca-certificates
```
Copy the root certificate file to the system certificate directory.
```
/usr/local/share/ca-certificates/
```
Update the certificate trust store.
```
sudo update-ca-certificates
```
The system merges the new certificate into /etc/ssl/certs/ca-certificates.crt.
Verify the installation.
- Check that the certificate file is trusted: ``bash # Replace your-certificate.crt with your root certificate filename. openssl verify /usr/local/share/ca-certificates/your-certificate.crt ` If the output is /usr/local/share/ca-certificates/your-certificate.crt: OK`, the verification succeeded.
- Check that the symbolic link was created: ``bash # Replace your-certificate with your root certificate filename. ls -la /etc/ssl/certs | grep your-certificate ``

Install in a browser

Chrome, Edge, and Internet Explorer on Windows use the operating system's trust store. For these browsers, import the root certificate into the operating system rather than into an individual browser. The steps in this section apply only when you need to configure a root certificate for a specific browser.

Google Chrome

This section uses Windows 10 and Chrome 138.0.7204.102 (64-bit) as an example.

Import the root certificate.
1. Open Chrome, click the icon in the upper-right corner, and select Settings.
2. In the left navigation pane, click Privacy and security.
3. Click Security > Manage certificates > Manage certificates imported from Windows.
4. In the Certificate Manager window, click the Trusted Root Certification Authorities tab.
5. Click Import in the lower-left corner. Follow the prompts to select and import the root certificate file. An Import Successful message confirms completion.
Verify the import.
1. Confirm the root certificate appears in the selected path.
2. Restart Chrome.
3. Access the target website and confirm that no "untrusted certificate" warnings appear.

Microsoft Edge

This section uses Windows 10 and Microsoft Edge 92.0.902.67 (64-bit) as an example.

Import the root certificate.
1. Open Edge, click the icon in the upper-right corner, and select Settings.
2. Click the Privacy, search, and services tab.
3. Scroll to the Security section and click Manage certificates. The Windows Certificate Manager opens.
4. Click the Trusted Root Certification Authorities tab.
5. Click Import in the lower-left corner. Follow the prompts to import the root certificate file. An Import Successful message confirms completion.
Verify the import.
1. Confirm the root certificate appears in the selected path.
2. Restart Edge.
3. Access the target website and confirm that no "untrusted certificate" warnings appear.

Mozilla Firefox

This section uses Windows 10 and Firefox 142.0.1 (64-bit) as an example.

Import the root certificate.
1. Open Firefox, click the icon in the upper-right corner, and select Settings.
2. Click the Privacy & Security tab.
3. Scroll to the Certificates section and click View Certificates. The Certificate Manager opens.
4. Click the Authorities tab, then click Import.
5. Follow the prompts to select and import the root certificate file.
Verify the import.
1. On the Authorities tab, check the Certificate Name column to confirm the root certificate is listed.
2. Restart Firefox.
3. Access the target website and confirm that no "untrusted certificate" warnings appear.

Internet Explorer

This section uses Windows 10 and Internet Explorer 11.1.20348.0 as an example.

Import the root certificate.
1. Open Internet Explorer, click the icon in the upper-right corner, and select Internet Options.
2. In the Internet Options window, click the Content tab.
3. Click Certificates to open the Certificates window.
4. Click the Trusted Root Certification Authorities tab.
5. Click Import in the lower-left corner. Follow the prompts to import the root certificate file.
Verify the import.
1. Confirm the root certificate appears in the selected path.
2. Restart Internet Explorer.
3. Access the target website and confirm that no "untrusted certificate" warnings appear.

Risks and maintenance considerations

Security risks

Untrusted sources: Only download root certificates from official or authoritative channels. Installing a root certificate from an unknown source can enable malware injection or man-in-the-middle attacks, severely compromising system security.
Operational errors: Importing a certificate to the wrong store location or using an incorrectly formatted file can disrupt the system's trust chain or cause application connection failures.

Compatibility and maintenance

System or application version limitations: Some legacy operating systems or applications don't support newer root certificate algorithms and may require an upgrade to ensure compatibility.
Root certificate expiration: Root certificates have an expiration date. When a CA issues a new root certificate or an existing one is about to expire, update the root certificate on all relevant clients to maintain a valid trust chain.

Bulk deployment

Manually installing root certificates across many heterogeneous devices is inefficient and error-prone. For large-scale deployments, use automated scripts or configuration management and device management tools.

FAQ

Do I need to redeploy the root certificate after my SSL certificate expires?

It depends on your client environment.

For mainstream browsers and operating systems where the OS handles root certificate updates automatically, no action is needed. The trust chain remains valid as long as your new SSL certificate chains to a trusted root.

For environments without pre-installed root certificates—such as mobile apps with built-in trust stores, standalone Java clients, legacy browsers, or IoT devices—you may need to redeploy in two situations: you changed the certificate brand or type (DV/OV/EV) when renewing, or the original root certificate expired (or the CA announced a switch to a new root). In these cases, download the matching root certificate and install it on the affected clients as described in this guide.

How do I install an intermediate certificate?

The process is the same as installing a root certificate. Follow the steps in Install root certificates, but select Intermediate Certification Authorities (or Authorities in Firefox) as the destination store instead of Trusted Root Certification Authorities.

Java client fails to access HTTPS

This is typically caused by a missing root or intermediate certificate in the Java Runtime Environment (JRE) trust store. For troubleshooting steps, see Java client fails to access HTTPS.

Which operating systems are supported by DigiCert and GeoTrust certificates?

Certificate brand	Root certificate	Windows	macOS X	Android	Java
DigiCert DV certificates	New root (DigiCert Global Root G2)	Windows 8 and later	OS X 10.7 and later	Android 4.4.2 and later	Java 1.8 and later
DigiCert DV certificates	Old root (DigiCert Global Root CA)	Windows 7 and later	OS X 10.5 and later	Android 2.3.3 and later	Java 1.6.05 and later
Rapid DV certificates	New root (DigiCert Global Root G2)	Windows 8 and later	OS X 10.7 and later	Android 4.4.2 and later	Java 1.8 and later
GeoTrust OV and EV certificates	Old root (DigiCert Global Root CA)	Windows 7 and later	OS X 10.5 and later	Android 2.3.3 and later	Java 1.6.05 and later

Starting mid-March 2023, DigiCert and GeoTrust branded SSL certificates are issued through the new root, DigiCert Global Root G2. For more information, see Announcement: DigiCert Root Certificate Upgrade. Due to Android fragmentation, some device models running Android 4.4–5.0 may have compatibility issues. Some Java versions may not include the root certificate by default—verify your specific environment.