A root certificate is the foundation of an SSL/TLS trust chain and verifies all subordinate certificates (including intermediate certificates and server certificates) issued by a certification authority (CA). Mainstream browsers and operating systems typically include pre-installed root certificates from trusted CAs. However, in environments such as mobile apps, Java clients, legacy systems, or Internet of Things (IoT) devices, a missing root certificate can cause HTTPS connection failures or insecure warnings. This guide provides download links for root certificates from major CA brands and installation guides for various clients to help you establish a complete trust chain, ensuring the security and availability of SSL/TLS communication.
Use cases
This topic applies to client environments that require manual installation of a root certificate:
Mobile applications: Apps with custom trust stores that do not sync with the system or browser's list of root certificates.
Java clients: Applications that use an independent Java KeyStore (cacerts) and do not rely on the operating system's trust store.
Legacy operating systems or browsers: Older systems, such as Windows XP or Android 4.x, that do not have pre-installed root certificates from newer CAs.
Internet of Things (IoT) devices and embedded systems: Resource-constrained devices that typically include a limited set of root certificates.
Corporate intranet environments: Systems using a private CA whose root certificate is not included in public trust stores.
Specific compliance or security policies: Environments that require explicit control over the list of trusted CAs.
For modern browsers (such as Chrome, Firefox, Safari, and Edge) and operating systems (such as Windows 10/11, macOS, Android 8 or later, and iOS 12 or later), you do not need to perform manual operations when using certificates issued by major international CAs such as DigiCert and GlobalSign. Their root certificates are pre-installed and automatically updated by the operating system.
For legacy operating systems, such as Android 4.4.2, install the corresponding cross-root certificate manually to ensure a complete trust chain.
Download root certificates
If you are installing a root certificate from an internal enterprise CA, skip this step and proceed directly to the Install root certificates step.
Download links for root certificates by brand
Download the appropriate root certificate based on the SSL certificate brand (for example, DigiCert or GeoTrust) and certificate type (DV/OV/EV) used on your server. For example, if your server uses a DigiCert OV SSL certificate, download the corresponding DigiCert OV root certificate.
Certificate brand | Root certificate download |
DigiCert | Note Starting December 1, 2024, SSL certificates of the DigiCert brands will be issued from a new root and intermediate certificate chain. For more information, see Announcement on DigiCert Root Certificate Replacement. |
GeoTrust | |
Rapid | |
GlobalSign | |
Alibaba Cloud | Note Starting September 18, 2025, Alibaba Cloud will begin issuing its branded SSL certificates using a new root and intermediate certificate. For more information, see [Announcement] Alibaba Brand Certificate Root Update Announcement. |
DigiCert root certificate compatibility
Operating system or browser | DigiCert Global Root CA (old) | DigiCert Global Root G2 (old - transitional) | DigiCert Global Root G2 (new - cross-root) |
Fingerprint | a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c5436 | df3c24f9bfd666761b268073fe06d1cc8d4f82a4 | 8bf7f178a745a11bac6ae5b586fc1838eadcb2cf |
Windows (Internet) | Windows XP SP3+ | ||
Windows (Internal network) | Windows 7+ | Windows 8+ | Windows 7+ |
macOS | Mac OS X 10.6+ | Mac OS X 10.10+ | Mac OS X 10.6+ |
iOS | iOS 4.0+ | iOS 7.0+ | iOS 4.0+ |
Firefox | Firefox 2+ | Firefox 32+ | Firefox 2+ |
NSS | NSS 3.11.8 | NSS 3.16.3 | NSS 3.11.8 |
Android | Android 1.1+ | Android 5.0+ | Android 1.1+ |
Chrome | Starting with Chrome 108, Chrome uses its own trust store. Earlier versions rely on the operating system's trust store. | ||
Java | JRE 1.4.2_17+ | JRE 1.8.0_131+ | JRE 1.4.2_17+ |
Install root certificates
Install a root certificate on an operating system
Windows
The following steps use Windows 10 as an example.
Open the Microsoft Management Console (MMC).
Press
Win+Rto open the Run dialog box. Entermmcand click OK to open the MMC console.
Add the Certificates snap-in to the MMC console.
In the menu bar at the top of the console, choose .
In the Add or Remove Snap-ins dialog box, select Certificates from the Available snap-ins list on the left and click Add.
In the Certificates snap-in dialog box, select Computer account, and then click Next.
In the Select Computer dialog box, select Local computer (the computer this console is running on), and click Finish.
Import the root certificate.
In the navigation pane on the left of the MMC console, expand Certificates (Local Computer).
Select the destination folder, such as Enterprise Trust. Right-click the folder and choose .
NotePersonal: Stores certificates for the current user or computer.
Trusted Root Certification Authorities: Contains root certificates from CAs that the operating system trusts by default.
Intermediate Certification Authorities: Stores intermediate certificates that link server certificates to a trusted root.
Enterprise Trust: Stores certificates from an internal enterprise CA, trusted only within the organization's network.
Follow the on-screen instructions to complete the certificate import.
macOS
The following steps use macOS 12.5.1 as an example.
Open the macOS Launchpad.
In the Launchpad search box, enter Keychain Access, and then click Keychain Access.
On the Keychain Access page, click the Certificates tab.
Drag the downloaded root certificate to an empty area on the Certificates tab in Keychain Access. macOS automatically verifies the root certificate.
NoteTo download a root certificate, see Download root certificates.
Right-click the newly added root certificate and click Get Info.
On the certificate information page, select Always Trust and click the
icon.
Linux
The specific paths and commands for installing a root certificate on Linux systems vary by distribution. The following sections provide examples for CentOS/Red Hat and Ubuntu/Debian.
CentOS/Red Hat
Install the system CA certificates package.
sudo yum install ca-certificatesImport the root certificate. Upload the root certificate file to the system certificate directory.
Path:
/etc/pki/ca-trust/source/anchors/Update the certificate trust store.
sudo update-ca-trust extractThe system regenerates the trust bundle at
/etc/pki/tls/certs/ca-bundle.crt.Verify the certificate. Use OpenSSL to test the HTTPS connection.
openssl s_client -connect example.com:443 -CAfile /etc/pki/tls/certs/ca-bundle.crtNoteVerification points:
The output should contain your certificate chain information.
If the connection is successful and ends with
Verify return code: 0 (ok), the certificate is trusted.
Ubuntu/Debian
Install the system CA certificates package.
sudo apt install ca-certificatesImport the root certificate. Upload the root certificate file to the system certificate directory.
Path:
/usr/local/share/ca-certificates/Update the certificate trust store.
sudo update-ca-certificatesThe system automatically merges the new certificate into the system root certificate file
/etc/ssl/certs/ca-certificates.crt.Verify the certificate.
Use OpenSSL to verify:
# Use the following command to check if the certificate file is in the trust store. Replace your-certificate.crt with your root certificate file name. openssl verify /usr/local/share/ca-certificates/your-certificate.crtIf the output is
/usr/local/share/ca-certificates/your-certificate.crt: OK, the verification is successful.Check for the symbolic link:
# Check if a corresponding .pem symbolic link file is generated in the directory. Replace your-certificate with your root certificate file name. ls -la /etc/ssl/certs | grep your-certificate
Install a root certificate in a browser
For browsers that use the system's trust store (such as Chrome, Edge, and IE on Windows), we recommend importing the root certificate into the operating system instead of a single browser. The steps in this section apply only to scenarios where you need to configure a root certificate for a specific browser.
Google Chrome
This section uses Windows 10 and Chrome 138.0.7204.102 (64-bit) as an example.
Import the root certificate in the Chrome browser.
Open the Chrome browser, click the
icon in the upper-right corner, and select Settings.On the Settings page, in the left navigation pane, click Privacy and security.
On the page that appears, click .
In the Certificate Manager window, click the Trusted Root Certification Authorities tab.
Click the Import button in the lower-left corner. Follow the prompts to select and import the root certificate file. An Import Successful message is displayed upon completion.
Verify the import.
Confirm that the target root certificate was successfully imported to the selected path.
Restart the Chrome browser.
Access the target website and check that security warnings, such as "untrusted certificate" prompts, no longer appear.
Microsoft Edge
This section uses Windows 10 and Microsoft Edge 92.0.902.67 (64-bit) as an example.
Import the root certificate in the Edge browser.
Open the Edge browser, click the
icon in the upper-right corner, and select Settings.On the Settings page, click the Privacy, search, and services tab.
Scroll down to the Security section and click Manage certificates. The Windows Certificate Manager dialog box opens.
In the Certificate Manager window, click the Trusted Root Certification Authorities tab.
Click the Import button in the lower-left corner. Follow the prompts to import the root certificate file. An Import Successful message is displayed upon completion.
Verify the import.
Confirm that the target root certificate was successfully imported to the selected path.
Restart the Edge browser.
Access the target website and check that security warnings, such as "untrusted certificate" prompts, no longer appear.
Mozilla Firefox
This section uses Windows 10 and Firefox 142.0.1 (64-bit) as an example.
Import the root certificate in the Firefox browser.
Open the Firefox browser, click the
icon in the upper-right corner, and select Settings.On the Settings page, click the Privacy & Security tab.
Scroll down to the Certificates section and click View Certificates. The Certificate Manager dialog box opens.
In the Certificate Manager window, click the Authorities tab and then click the Import button.
Follow the prompts to select the root certificate file and complete the import.
Verify the import.
On the Authorities tab, check the Certificate Name column to verify that the root certificate was imported successfully.
Restart the Firefox browser.
Access the target website and check that security warnings, such as "untrusted certificate" prompts, no longer appear.
Internet Explorer
This section uses Windows 10 and Internet Explorer 11.1.20348.0 as an example.
Import the root certificate in Internet Explorer.
Open Internet Explorer, click the
icon in the upper-right corner, and select Internet Options.In the Internet Options window, click the Content tab.
Click the Certificates button to open the Certificates window.
In the Certificates window, click the Trusted Root Certification Authorities tab.
Click the Import button in the lower-left corner. Follow the prompts to import the root certificate file.
Verify the import.
Confirm that the target root certificate was successfully imported to the selected path.
Restart Internet Explorer.
Access the target website and check that security warnings, such as "untrusted certificate" prompts, no longer appear.
Costs and risks
Security risks
Untrusted sources: Obtain root certificates only from official or authoritative channels. Installing a root certificate from an unknown source can lead to malware injection or man-in-the-middle attacks, which can severely compromise system security.
Operational errors: Importing a certificate to the wrong storage location or importing an incorrectly formatted certificate file can disrupt the system's trust chain or cause application connection failures.
Compatibility and maintenance costs
System/application version limitations: Some legacy operating systems or applications may not support new root certificate algorithms or standards and may require an upgrade to ensure compatibility.
Root certificate expiration or changes: Root certificates have an expiration date. When a root certificate is about to expire or a Certificate Authority (CA) issues a new one, you must update the root certificate on all relevant clients to maintain a valid trust chain.
Bulk deployment costs
Manually installing root certificates on many heterogeneous devices is inefficient and error-prone. For bulk deployment and unified maintenance, you can develop automated scripts or use configuration or device management tools.
FAQ
Do I need to redeploy the root certificate after my SSL certificate expires?
No replacement needed:
For root certificates from trusted Certificate Authorities (CAs) that are pre-installed in mainstream browsers and operating systems, the operating system or browser automatically handles updates. You do not need to manually redeploy root certificates on these clients.
Replacement needed:
For clients that do not have pre-installed root certificates, such as mobile apps with built-in trust stores, standalone Java clients, legacy browsers, or IoT devices, you may need to redeploy a root certificate in the following situations:
You changed the certificate brand or type (DV/OV/EV) when purchasing a new SSL certificate.
The original root certificate expired, or the CA announced a switch to a new root certificate.
In these scenarios, you must download the root certificate that matches the server's certificate chain and manually install it on the affected clients as described in this topic.
How do I install an intermediate certificate?
The process for importing an intermediate certificate is similar to importing a root certificate. You can follow the steps in the "Install root certificates" section of this topic. In the target system or browser, select the appropriate certificate store, which is usually "Intermediate Certification Authorities" or "Authorities", and import the corresponding intermediate certificate file.
Java client fails to access HTTPS
If a Java client fails to access an HTTPS service, the cause is often a missing root or intermediate certificate in the Java Runtime Environment (JRE) trust store. For more information, see Java client fails to access HTTPS.
Which operating systems are supported by DigiCert and GeoTrust certificates?
Certificate brand | Root certificate | Windows | macOS X | Android | Java |
DigiCert DV certificates | New root certificate (DigiCert Global Root G2) | Windows 8 and later | OS X 10.7 and later | Android 4.4.2 and later | Java 1.8 and later |
Old root certificate (DigiCert Global Root CA) | Windows 7 and later | OS X 10.5 and later | Android 2.3.3 and later | Java 1.6.05 and later | |
Rapid DV certificates | New root certificate (DigiCert Global Root G2) | Windows 8 and later | OS X 10.7 and later | Android 4.4.2 and later | Java 1.8 and later |
GeoTrust OV and EV certificates | Old root certificate (DigiCert Global Root CA) | Windows 7 and later | OS X 10.5 and later | Android 2.3.3 and later | Java 1.6.05 and later |
Starting from mid-March 2023, SSL certificates from the DigiCert and GeoTrust brands will be issued through the new root certificate, DigiCert Global Root G2. For more information, see Announcement: DigiCert Root Certificate Upgrade.
Because of Android fragmentation, some Android versions between 4.4 and 5.0 have compatibility issues. These issues typically affect older device models.
Some Java versions may not include the root certificate. You can check your specific environment to confirm.