DigiCert Intermediate CA Replacement

Solution In Progress - Updated -


An audit of DigitCert's intermediate CAs for extended validation certificates (EV) has revealed an inconsistency. In accordance with the Mozilla policy and CAB forum requirements, DigiCert is retiring 14 intermediate CAs. About 35,000 to 50,000 certificates in total are affected. The certificates will be retired on Saturday 2020-07-11 at 18:00 UTC.

The intermediate certificates are:

  • DigiCert Global CA G2
  • GeoTrust TLS RSA CA G1
  • Secure Site CA
  • Thawte TLS RSA CA G1
  • Cybertrust Japan Secure Server ECC CA
  • DigiCert Global CA G3
  • GeoTrust TLS ECC CA G1
  • Thawte TLS ECC CA G1
  • NCC Group Secure Server CA G3
  • Aetna Inc. Secure CA2
  • DigiCert SHA2 High Assurance Server CA
  • NCC Group Secure Server CA G2
  • Plex Devices High Assurance CA2
  • TERENA SSL High Assurance CA 3

The certificates are listed in the Mozilla CA Certificate Disclosures database. Domain-validated certificates (DV) and organization-validated certificates (OV) are not affected.


The issue affects all systems that use a server certificate that is signed by any of the listed intermediate CAs.

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In