DigiCert Legacy Root (G1) distrust by major browsers
Browsers and operating systems are completing the removal of DigiCert's legacy G1 root certificates from their trust stores, effective April 15, 2026.
DigiCert announced this planned deprecation in 2023 and has been issuing certificates from their newer G2 roots since 2020.
Since DigiCert is not within the certificate authorities used by Cloudflare, this change may only affect customers who upload custom certificates issued from DigiCert G1 roots.
The primary root being distrusted is DigiCert Global Root CA. The distrust also affects other legacy G1 intermediates cross-signed from this root.
DigiCert Global Root G2 and G3 remain fully trusted. Certificates that chain to G2 are unaffected.
Refer to DigiCert's root and intermediate CA certificate updates ↗ for the full list of affected roots.
DigiCert recommends reissuing any affected certificates from a G2 intermediate. This is a standard reissuance — you do not need to generate a new key in most cases.
Since Cloudflare does not use DigiCert roots, you can avoid this dependency entirely by switching to Cloudflare-managed certificates:
- Use Advanced certificates for more control and flexibility with automatic renewals.
- Enable Total TLS to automatically issue certificates for your proxied hostnames.
- Use Delegated DCV to reduce manual intervention when renewing certificates for partial (CNAME) setup zones.