A root certificate is a public key certificate issued by a certificate authority (CA) and is the start of a certificate chain. A root certificate has an independent validity period, which is not affected by the expiration of a chained certificate.
The following list describes when redeployment is required and when it is not required:
Redeployment not required
For specific SSL certificates, root certificates are pre-installed in mainstream web browsers, such as Google Chrome, Mozilla Firefox, and Microsoft Edge, most operating systems, such as Windows and macOS, and mobile devices that run mobile operating systems, such as iOS and Android. When the root certificates expire, the CAs automatically update them.
Redeployment required
For clients that do not have root certificates pre-installed, such as apps, Java clients, browsers of earlier versions, and Internet of Things (IoT) devices, the root certificates may change if you change the brands or types of SSL certificates when re-purchasing the SSL certificates, or when the root certificates of CAs expire. To address this issue for a client, you must manually download the root certificate of the same type as the server certificate and manually install the root certificate to the client.
For more information, see Download a root certificate.