Microsoft 365 Message Center Archive

MC1282565 - Exchange Online, SharePoint Online, and Microsoft Teams: April 2026 industry-wide DigiCert Global Root CA (G1) distrust

Message ID

MC1282565

View in Message Center

Service

Microsoft 365 suite

Published

Apr 16, 2026

Tag

User impact
Admin impact

Summary

Starting April 15, 2026, browsers and platforms will distrust DigiCert Global Root CA (G1). Microsoft 365 services use newer certificates, so most users won't be affected. Legacy scenarios may face TLS errors. If issues arise, verify the certificate chain and contact Microsoft Support referencing the April 2026 distrust.

More information

Introduction

To support industry-wide security improvements and modern cryptographic standards, browsers and platforms that follow Mozilla and Chrome trust stores will begin distrusting the DigiCert Global Root CA (G1) starting April 15, 2026. Microsoft has already migrated Microsoft 365 services to newer, more secure certificate hierarchies (such as DigiCert Global Root G2 and G3).

We’re sharing this notification to help you quickly identify and respond to any unexpected certificate-related connection issues that may arise in edge scenarios due to this industry trust change. This change is driven by industry trust store updates and does not represent a new change or rollout within Microsoft 365 services.

When this will happen

  • April 15, 2026: Industry-wide distrust of DigiCert Global Root CA (G1) begins
  • Microsoft monitoring period: April 15, 2026 and onward

How this affects your organization

Who is affected

  • Organizations accessing Microsoft 365 services using:
    • Google Chrome or Mozilla Firefox
    • Linux-based systems, containers, appliances, or software stacks that rely on Mozilla/NSS trust stores
  • Only scenarios where a service endpoint still presents a TLS certificate chaining to DigiCert Global Root CA (G1)

What will happen

  • Most customers will not experience any impact.
  • In rare legacy scenarios:
    • TLS connections may fail certificate validation
    • Failures may be intermittent depending on:
      • Client OS patch level
      • Browser version
      • Container or image refresh cadence
  • Common error messages may include:
    • NET::ERR_CERT_AUTHORITY_INVALID
    • SEC_ERROR_UNKNOWN_ISSUER
    • SunCertPathBuilderException
    • verify error:num=19:self signed certificate in certificate chain

What you can do to prepare

No action is required if you are not experiencing certificate or TLS handshake errors.

If you encounter errors on or after April 15, 2026:

  • Review the certificate chain presented by the failing endpoint
    • If DigiCert Global Root CA (G1) appears:
      • Stop local debugging or repeated mitigation attempts
      • Collect the following triage information:
        • Target URL or hostname
        • Full error message and timestamp (including time zone)
        • Client OS, version, browser/runtime, and whether it’s a VM, container, or appliance
        • Certificate chain evidence (log output or screenshot)
  • Contact Microsoft Support through your normal support channel and reference:
    • April 15, 2026 DigiCert Global Root CA (G1) industry distrust

This information helps route your issue directly to certificate and TLS specialists and avoids unnecessary troubleshooting steps.

Compliance considerations

No compliance considerations identified. Review as appropriate for your organization.