All Products
Document Center

Certificate Management Service:[Announcement] Update of DigiCert root certificates

Last Updated:Sep 20, 2023

Dear Alibaba Cloud users,

Mozilla updated its trust policy for root certificates. The new policy requires the root certificates of all certificate authorities (CAs) in the world to be changed at least once every 15 years from creation. Root certificates that are not changed 15 years from creation gradually lose trust from Mozilla. DigiCert starts to gradually update some existing root certificates to DigiCert Global Root G2 from the middle of March, 2023.

Update details

Involved root certificates

Original root certificate

Time when Mozilla trust is lost

Impact scope

New root certificate

Baltimore CyberTrust Root

April 15, 2025 (The root certificate expires on May 15, 2025.)

Cross certificates used to ensure compatibility

DigiCert Global Root G2

DigiCert Global Root CA

April 15, 2026

DigiCert domain validated (DV) and organization validated (OV) certificates

DigiCert Global Root G2

DigiCert High Assurance EV Root CA

April 15, 2026

DigiCert extended validation (EV) certificates

DigiCert Global Root G2

Involved DV certificate chains

Certificate brand

Original intermediate certificate

Original root certificate

New intermediate certificate

New root certificate

GeoTrust and RapidSSL

RapidSSL Global TLS RSA4096 SHA256 2022 CA1

Digicert Global Root CA


Digicert Global Root G2


Encryption Everywhere DV TLS CA - G1

Digicert Global Root CA

Encryption Everywhere DV TLS CA - G2

Digicert Global Root G2

Update impact

  • DigiCert Global Root G2 uses the SHA-256 signature algorithm, which helps improve security.

  • Certificates that are issued before the middle of March, 2023 are not affected. From the middle of March, 2023, DigiCert, GeoTrust, and RapidSSL certificates are issued by using new root and intermediate certificates.

  • The new root system is compatible with mainstream operating systems and mobile devices.

  • The root certificates that are preconfigured for clients such as apps and IoT terminals are affected. We recommend that you use the default Truststore to implement verification in this scenario.

If you have questions, contact your account manager.

Thank you for your support.