![Exchange Online, SharePoint Online, and Microsoft Teams: April 2026 industry-wide DigiCert Global Root CA (G1) distrust [MC1282565]](https://mwpro.co.uk/wp-content/uploads/2025/06/pexels-pixabay-276517-1024x683.webp "Exchange Online, SharePoint Online, and Microsoft Teams: April 2026 industry-wide DigiCert Global Root CA (G1) distrust [MC1282565] 1")
[Introduction]
To support industry-wide security improvements and modern cryptographic standards, browsers and platforms that follow Mozilla and Chrome trust stores will begin distrusting the DigiCert Global Root CA (G1) starting April 15, 2026. Microsoft has already migrated Microsoft 365 services to newer, more secure certificate hierarchies (such as DigiCert Global Root G2 and G3).
We’re sharing this notification to help you quickly identify and respond to any unexpected certificate-related connection issues that may arise in edge scenarios due to this industry trust change. This change is driven by industry trust store updates and does not represent a new change or rollout within Microsoft 365 services.
[When this will happen]
- April 15, 2026: Industry-wide distrust of DigiCert Global Root CA (G1) begins
- Microsoft monitoring period: April 15, 2026 and onward
[How this affects your organization]
Who is affected
- Organizations accessing Microsoft 365 services using:
- Google Chrome or Mozilla Firefox
- Linux-based systems, containers, appliances, or software stacks that rely on Mozilla/NSS trust stores
- Only scenarios where a service endpoint still presents a TLS certificate chaining to DigiCert Global Root CA (G1)
What will happen
- Most customers will not experience any impact.
- In rare legacy scenarios:
- TLS connections may fail certificate validation
- Failures may be intermittent depending on:
- Client OS patch level
- Browser version
- Container or image refresh cadence
- Common error messages may include:
- NET::ERR_CERT_AUTHORITY_INVALID
- SEC_ERROR_UNKNOWN_ISSUER
- SunCertPathBuilderException
- verify error:num=19:self signed certificate in certificate chain
[What you can do to prepare]
No action is required if you are not experiencing certificate or TLS handshake errors.
If you encounter errors on or after April 15, 2026:
- Review the certificate chain presented by the failing endpoint
- If DigiCert Global Root CA (G1) appears:
- Stop local debugging or repeated mitigation attempts
- Collect the following triage information:
- Target URL or hostname
- Full error message and timestamp (including time zone)
- Client OS, version, browser/runtime, and whether it’s a VM, container, or appliance
- Certificate chain evidence (log output or screenshot)
- If DigiCert Global Root CA (G1) appears:
- Contact Microsoft Support through your normal support channel and reference:
- “April 15, 2026 DigiCert Global Root CA (G1) industry distrust”
This information helps route your issue directly to certificate and TLS specialists and avoids unnecessary troubleshooting steps.
[Compliance considerations]
No compliance considerations identified. Review as appropriate for your organization.
Source: Microsoft
Latest Posts
- (Updated) New Feature: Account Manager in Outlook for Windows [MC1129718]
- (Updated) Flux.2 Flex model availability in PowerPoint for Microsoft 365 Copilot [MC1302900]
- Amazon Bedrock AgentCore Runtime now supports bring-your-own file system from Amazon S3 Files and Amazon EFS
- Amazon SageMaker Unified Studio adds identity and user management features
![General Availability: Microsoft Entra passkeys on Windows [MC1282568]](https://mwpro.co.uk/wp-content/uploads/2025/06/pexels-vlado-paunovic-1567547-3038740-96x96.webp "General Availability: Microsoft Entra passkeys on Windows [MC1282568] 6")
![Power Apps – Enable online mode to access Dataverse for Canvas apps [MC1282566]](https://mwpro.co.uk/wp-content/uploads/2024/08/pexels-padrinan-1111367-150x150.webp "Power Apps - Enable online mode to access Dataverse for Canvas apps [MC1282566] 7")