Mozilla will begin distrusting older DigiCert root certificates in 2025. Affected by this distrust policy, DigiCert will upgrade to the second-generation (G2) root and intermediate CA (ICA) hierarchies from March 8, 2023, and gradually stop issuing SSL/TLS certificates from the old root certificates. Considering Mozilla’s distrust policy only takes effect in 2025. DigiCert users will have enough time to re-sign or switch to the latest DigiCert G2 root certificate.

On account of what has been said above, DigiCert has announced that from March 8, 2023, the DigiCert SSL certificates will gradually be issued from the G2 root and the new ICA certificates. But don’t worry: All certificates issued and effective before March 8, 2023 will not be affected and will remain trusted until they expire.

See the table below for the dates specified in the Mozilla certificate distrust and dates.

The Impact of Switching Root and ICA Certificates.

1. The G2 root certificate no longer approves of the previous SHA1 algorithm and uses the more secure SHA256 algorithm.
2. All certificates issued after March 8, 2023, including reissued and updated certificates, will be linked to the G2 root hierarchy. When installing the certificate, make sure to include the latest LCA certificate provided by DigiCert.
3. If the old root certificate and the ICA certificate are embedded in the server-end or client-end, the verification of new certificates issued from the G2 root will fail. If you have any questions regarding this, you can contact our technical staff, NicSRS will provide professional advice and assistance.

Why Is SHA256 More Reliable and Secure Than SHA1?

The new root certificate uses SHA256 hashing algorithm. Previous research and experimental results have shown that SHA1 has weaknesses and is vulnerable to attack. SHA256 was developed to address these issues and increase security. SHA256 is one of the most well-known and widely used cryptographic algorithms at present, which is considered more reliable and secure than SHA1 and thus has become a new standard. This is what you could take away from this section even if you don’t know much about secure hashing algorithms. And to know more about the differences between SHA1, SHA2 and SHA256, please refer to this article.

We advise you to make preparations for this update in advance to prevent business interruption. Please make sure you are aware of and willing to accept the risks if you must continue using the current old root certificate after March 8, 2023.

Please read here about affected DigiCert brands and DigiCert’s announcement.