The TL;DR
As of July 1, 2026, the Chrome Root Program no longer trusts TLS certificates newly issued from three DigiCert legacy roots: DigiCert Trusted Root G4, DigiCert Assured ID Root G2, and DigiCert Assured ID Root G3.
Certificates issued before that date keep working in Chrome until they expire. Anything issued or reissued on or after July 1 must chain to DigiCert Global Root G2 (RSA) or DigiCert Global Root G3 (ECC) instead.
What Happened
Google's Chrome Root Program periodically removes roots that don't meet its current expectations for dedicated TLS hierarchies. The three roots being removed are not TLS-only hierarchies — they have also issued Code Signing and Timestamping intermediate CAs, which is exactly the "multi-purpose root" pattern browser root programs have been phasing out across the industry.
Mozilla has a parallel program requiring dedicated TLS hierarchies by end of 2028, so this is part of a broader industry direction, not a DigiCert-specific penalty.
Important nuance: Chrome's removal is date-scoped, not a hard distrust. It applies to certificates with a notBefore on or after 2026-07-01. Certificates issued before that date are unaffected until they naturally expire.
Am I Affected?
You're affected if both of the following are true:
- Your TLS certificate chains to DigiCert Trusted Root G4, Assured ID Root G2, or Assured ID Root G3 — check with:
- You issue, renew, or reissue a certificate on or after July 1, 2026.
openssl s_client -connect yoursite.com:443 -showcerts 2>/dev/null | openssl x509 -noout -issuer
Or inspect the chain in the browser's certificate viewer to see which root your certificate chains to.
NOT Affected
- Certificates from the legacy roots issued before July 1, 2026 — trusted until expiry
- Anything already chaining to DigiCert Global Root G2/G3 — DigiCert's default issuance hierarchy for most current TLS products
Affected
- New issuance or reissue on/after July 1, 2026, chaining to a legacy root
- Pinned or hardcoded chains that reference the legacy roots/intermediates
The Symptom If You Get This Wrong
A certificate issued after the cutoff from a legacy root will show NET::ERR_CERT_AUTHORITY_INVALID in Chrome (and Chromium-based browsers like Edge, Brave, and Opera as they pick up the root store change), while potentially still working in Firefox or Safari.
Diagnostic tip: Divergent browser behavior on a fresh certificate — broken in Chrome/Edge but fine in Firefox/Safari — is the classic signature of a root-program distrust.
How to Fix It
- Select the current hierarchy at renewal/reissue time. Use Global Root G2 (RSA) or Global Root G3 (ECC). For most DigiCert accounts this is already the default; if you pinned or hard-configured the legacy chain, update it.
- Replace hardcoded chain bundles. Update any hardcoded intermediate/root bundles in your servers, containers, and CI — serve the chain DigiCert provides with the new certificate.
- Audit certificate pinning. If you pin to the legacy roots or their intermediates (mobile apps are the usual offenders), ship a pin update before renewing.
- Check your monitoring. If you use internal trust stores that mirror Chrome's, sync them.
Timeline
| When | What |
|---|---|
| Before 2026-07-01 | Certificates from legacy roots issued before this date: trusted until expiry. |
| 2026-07-01 | Chrome stops trusting newly issued TLS certs from Trusted Root G4 / Assured ID G2 / G3. |
| Ongoing | New issuance and reissues must chain to Global Root G2 (RSA) or G3 (ECC). |
Sources
- DigiCert Advisory: Google Chrome Root Removal — Trusted Root G4, Assured ID G2 & G3
- Chrome Root Program Policy
Track this deadline and others affecting your certificates on the PKI Compliance Hub deadline tracker.
