Favorite your Message Center and Roadmap items. Access them anytime via your Profile. Export and share with your team or your LLM.

Exchange Online, SharePoint Online, and Microsoft Teams: April 2026 industry-wide DigiCert Global Root CA (G1) distrust

Message ID
MC1282565
View in Message Center
Service
Microsoft 365 suite
Category
Plan for Change
Tags
User impactAdmin impact
Rollout
April 2026

Summary

Starting April 15, 2026, browsers and platforms will distrust DigiCert Global Root CA (G1). Microsoft 365 services use newer certificates, so most users won't be affected. Legacy scenarios may face TLS errors. If issues arise, verify the certificate chain and contact Microsoft Support referencing the April 2026 distrust.

Details

[Introduction]

To support industry-wide security improvements and modern cryptographic standards, browsers and platforms that follow Mozilla and Chrome trust stores will begin distrusting the DigiCert Global Root CA (G1) starting April 15, 2026. Microsoft has already migrated Microsoft 365 services to newer, more secure certificate hierarchies (such as DigiCert Global Root G2 and G3).

We’re sharing this notification to help you quickly identify and respond to any unexpected certificate-related connection issues that may arise in edge scenarios due to this industry trust change. This change is driven by industry trust store updates and does not represent a new change or rollout within Microsoft 365 services.

[When this will happen]

  • April 15, 2026: Industry-wide distrust of DigiCert Global Root CA (G1) begins
  • Microsoft monitoring period: April 15, 2026 and onward

[How this affects your organization]

Who is affected

  • Organizations accessing Microsoft 365 services using:
    • Google Chrome or Mozilla Firefox
    • Linux-based systems, containers, appliances, or software stacks that rely on Mozilla/NSS trust stores
  • Only scenarios where a service endpoint still presents a TLS certificate chaining to DigiCert Global Root CA (G1)

What will happen

  • Most customers will not experience any impact.
  • In rare legacy scenarios:
    • TLS connections may fail certificate validation
    • Failures may be intermittent depending on:
      • Client OS patch level
      • Browser version
      • Container or image refresh cadence
  • Common error messages may include:
    • NET::ERR_CERT_AUTHORITY_INVALID
    • SEC_ERROR_UNKNOWN_ISSUER
    • SunCertPathBuilderException
    • verify error:num=19:self signed certificate in certificate chain

[What you can do to prepare]

No action is required if you are not experiencing certificate or TLS handshake errors.

If you encounter errors on or after April 15, 2026:

  • Review the certificate chain presented by the failing endpoint
    • If DigiCert Global Root CA (G1) appears:
      • Stop local debugging or repeated mitigation attempts
      • Collect the following triage information:
        • Target URL or hostname
        • Full error message and timestamp (including time zone)
        • Client OS, version, browser/runtime, and whether it’s a VM, container, or appliance
        • Certificate chain evidence (log output or screenshot)
  • Contact Microsoft Support through your normal support channel and reference:
    • April 15, 2026 DigiCert Global Root CA (G1) industry distrust

This information helps route your issue directly to certificate and TLS specialists and avoids unnecessary troubleshooting steps.

[Compliance considerations]

No compliance considerations identified. Review as appropriate for your organization.

Change History

Show
Published: April 16, 2026
Last Updated: April 16, 2026
No change history available

Never Miss a Microsoft 365 Update

Join thousands of IT professionals who rely on DeltaPulse for real-time Microsoft 365 change intelligence, automated notifications, and community insights.

Explore Dashboard Sign Up Free