Notice of Digicert Global Root CA Lifecycle¶
Update: March 25, 2026
Overview¶
Exosite’s Murano Platform provides support to use third party PKI through DigiCert to issue certificates used in TLS connections which secure device communications to our platform. There are two industry changes related to the DigiCert Global Root CA that you should be aware of and evaluate necessary action if using this Root CA.
Change 1: DigiCert Root Hierarchy Transition¶
DigiCert is transitioning away from its first-generation (G1) root Certificate Authority (CA) certificates to newer, more secure second-generation (G2) root CA hierarchies.
What this means for you:
Exosite will be updating the DigiCert certificate chain with a cross-signed certificate from the DigiCert G2 hierarchy on March 31 2026 to continue to offer TLS with the DigiCert Global Root CA. This change will be seamless and require no action for those IoT Connectors and devices already using the Global Root CA with standards compliant certificate chain validation. The presented certificate chain will change from three certificates to four certificates in the chain.
Do I Need to Take Action?
No action is required for standards compliant certificate chain validation.
Change 2: Industry Distrust for DigiCert Global Root CA¶
Separate but related, Mozilla and Chrome will begin to distrust DigiCert G1 hierarchy certs from April 15, 2026 which cascades downstream to Linux distributions along with other OS and Application frameworks to begin to remove this certificate from Trust Stores.
What this means for you:
The distrust change in the ecosystem for this root CA may impact customers with devices using standard OS trust stores and may need to take steps before the ecosystem transitions to avoid service disruptions.
Do I Need to Take Action?
Potential action is based on how your devices manage Root CA cerificates.
| Device Type | Potential Actions |
|---|---|
| Static Hardcoded Root CA Certificates | If your devices have hardcoded, pinned, or statically defined the DigiCert Global Root CA in your device software, there is no action necessary. Your devices will continue to validate your Exosite Murano IoT Connector as configured with this DigiCert Global Root CA. |
| Rely on Operating System/Application Trust Stores | If your devices use an operating system (e.g. Linux) trust store or application frameworks that maintain certificates automatically with updates, you will need to ensure that these devices ‘pin’ or manually store the DigiCert Global Root CA to ensure the certificate is not removed automatically. This may involve an over the air software update. An alternative action would be to move to a different Root CA, which can be tested on a test IoT Connector. |
Key Dates¶
| Date | Description |
|---|---|
| March 31, 2026 | Exosite updates DigiCert Global Root CA certificate chain. No required action. |
| April 15, 2026 | Mozilla & Chrome distrust TLS certs from DigiCert Global Root CA and will begin to impact downstream OS trust stores. |
Recommendations¶
Evaluate how your device software manages Root CA certificates. If you are fully aware of which Root CA your devices use and how the certificate is managed, take action as necessary. If you have any questions please reach out to Exosite’s support team at support@exosite.com to check your understanding of impact and if required, a plan for action.
Where is the Root CA defined?
Each IoT Connector on the Murano platform has specified the Root CA it uses in it's settings.
How TLS / OS trust stores work — and why this matters¶
When your device makes a connection to the Murano platform, it verifies the platform's presented certificate by validating a chain of trust from that certificate up through one or more intermediate CAs, to a root CA certificate. For that connection to be trusted, the root CA must be present in a trust store — a curated list of approved root certificates maintained by the operating system or in the case of embedded devices or applications that may take the form of statically defined certificates.
The critical relationship: Mozilla's trust store (NSS) is particularly far-reaching because it serves as the upstream source for the trust lists used by the vast majority of Linux and BSD operating systems. This means that when Mozilla removes a root CA — such as the DigiCert Global Root CA (G1) on April 15, 2026 — the distrust cascades downstream to Linux distributions, embedded operating systems, and any application on those platforms that relies on the system trust store. Google Chrome and Android follow their own root program policies but are enforcing similar timelines.
The practical impact for industrial IoT: Many industrial gateways, edge devices, and embedded systems run Linux-based operating systems. If those devices rely on the system trust store to validate TLS connections — rather than a bundled or pinned certificate — they will be affected when the OS pulls an updated trust store that no longer includes the DigiCert G1 root. The timing of this depends on when Linux distributions push trust store updates, which may happen before or after the official Mozilla distrust date of April 15, 2026.
Applications and runtimes that bundle their own trust stores will be affected on their own update schedules, independent of the OS trust store.
Alternatives to DigiCert Global Root CA¶
Exosite will continue to support the DigiCert Global Root CA as long as DigCert allows renewal through the new hierarchy. While we make every effort to renew the validity period, we cannot guarantee that a third-party CA will remain valid through their original expiration date such as in the case for this CA of November 10, 2031. There is no immediate requirement to move away from the DigiCert Global Root CA. However, if you want to explore alternative Root CAs for the long term, there are two other CAs currently available from Exosite's platform.
Exosite Root CA RSA 2048
Exosite’s default Root CA and recommendation is our managed Root CA (Exosite Root CA RSA 2048). This Root CA is under Exosite's direct control and is valid through 2058. It is the recommended choice primarily because Exosite can ensure its long-term longevity. This certificate must be integrated into your device's software or trust store.
DigiCert TLS RSA4096 Root G5
Exosite’s platform also incorporates support for the latest DigiCert G5 hierarchy. This Root CA is expected to be present in all standard operating system trust stores. It is important to note that, as with all third-party Public Key Infrastructure (PKI), this Root CA is outside of Exosite's control. Consequently, Exosite cannot ensure that third-party CAs will maintain their validity through their original expiration date, such as the noted date of January 14, 2046. You can find more information below about industry trends for PKI and Root CA management.
Testing a different Root CA¶
For connected devices that are already deployed into the field for production use cases, you should always test an alternate Root CA on a separate IoT Connector. To use a different Root CA, that certificate must be on your devices and accessible to use with the TLS connection.
Devices that use a Trust Store
| Root CA | Update |
|---|---|
| Exosite Root CA RSA 2048 | This certificate file must be manually added to the trust store with an infield update (OTA) process. |
| DigiCert TLS RSA4096 Root G5 | There is a high likelihood this certificate exists in the trust store already if the OS has been updated recently. |
Devices that have hardcoded / static cert files
| Root CA | Update |
|---|---|
| Exosite Root CA RSA 2048 | The certificate file must be added statically to the firmware. |
| DigiCert TLS RSA4096 Root G5 | The certificate file must be added statically to the firmware. |
If your devices require an infield update (OTA), ensure that the update has been tested on your test IoT Connector to to validate the transition of changing the Root CA on your connector.
As this likely impacts production device connectivity, please contact Exosite’s support team if you have any questions on this topic and to help create a plan.
Why are these changes happening?¶
This is a summary of Industry Trends in PKI and Root CA management.
Browser root CA age limits — Mozilla has adopted a policy limiting root CA certificates to a 15-year lifespan in its trust store, after which the root is distrusted regardless of technical validity — the driver behind the G1 retirements happening in 2025–2026. MozillaWiki
Shrinking certificate lifespans — The CA/Browser Forum passed Ballot SC-081v3 in 2025, establishing a roadmap to reduce maximum TLS certificate validity from 398 days all the way down to 47 days, with the final milestone taking effect March 15, 2029.
Single-purpose roots replacing multi-purpose roots — Browser policies now require publicly trusted TLS certificates to be issued from TLS-dedicated root CAs carrying only the Server Authentication EKU, which is why legacy multi-purpose roots like COMODO and USERTrust are losing trust between 2025 and 2027