DigiCert Root and Intermediate (ICA) Selections
The Root and Intermediate certificate chain builds trust for the SSL certificate that secures your domain. DigiCert offers several different chains that cover a wide variety of server environments. In most cases, the default option is best.
Only Organization Validation (OV) and Extended Validation (EV) certificates allow intermediate and root selection during enrollment or re-issue.
If you need help with the intermediate and root for a Domain Validation (DV) certificate, please open a ticket with our support team using your account email address.
Root Certificate Selection During Enrollment
When you enroll a new certificate, or re-issue, the enrollment form may offer a selection of intermediate certificates under Advanced settings. Only the name of the intermediate certificate will be listed, but each option matches up to a specific root. If you are looking for a specific root certificate, please check the tables below.
Use your certificate brand name and validation level (OV or EV) to match up the intermediate and roots.
DigiCert Brand SSL
DigiCert EV SSL ICAs
| Intermediate | Root | Info |
| DigiCert EV RSA CA G2 (SHA2-256) | DigiCert Global Root G2 (SHA2-256) | G2 root |
| DigiCert Global G3 TLS ECC SHA384 2020 CA1 (SHA384ECDSA) | DigiCert Global Root G3 (SHA384ECDSA) | G3 root |
| DigiCert TLS Hybrid ECC SHA384 2020 CA1 (SHA2-384) | DigiCert Global Root CA (SHA1) | NOT RECOMMENDED: This root will be removed from trust stores on April 14, 2026 |
| DigiCert SHA2 Extended Validation Server CA (SHA2-256) | DigiCert High Assurance EV Root CA (SHA1) | NOT RECOMMENDED: This root will be removed from trust stores on April 14, 2026 |
| DigiCert G5 TLS RSA4096 SHA384 2021 CA1 (SHA2-384) | DigiCert TLS RSA4096 Root G5 (SHA2-384) | The G5 root is not widely trusted and requires a cross-signed intermediate. |
| DigiCert G5 TLS ECC SHA384 2021 CA1 (SHA384ECDSA) | DigiCert TLS ECC P384 Root G5 (SHA384ECDSA) | The G5 root is not widely trusted and requires a cross-signed intermediate. |
DigiCert OV SSL ICAs
| Intermediate | Root | Info |
| DigiCert Global G2 TLS RSA SHA256 2020 CA1 (SHA2-245) | DigiCert Global Root G2 (SHA2-256) | G2 Root |
| DigiCert Global G3 TLS ECC SHA384 2020 CA1 (SHA384ECDSA) | DigiCert Global Root G3 (SHA384ECDSA) | G3 Root |
| DigiCert TLS RSA SHA256 2020 CA1 (SHA2-256) | DigiCert Global Root CA (SHA1) | NOT RECOMMENDED: This root will be removed from trust stores on April 14, 2026 |
| DigiCert TLS Hybrid ECC SHA384 2020 CA1 (SHA2-384) | DigiCert Global Root CA (SHA1) | NOT RECOMMENDED: This root will be removed from trust stores on April 14, 2026 |
| DigiCert G5 TLS RSA4096 SHA384 2021 CA1 (SHA2-384) | DigiCert TLS RSA4096 Root G5 (SHA2-384) | The G5 root is not widely trusted and requires a cross-signed intermediate. |
| DigiCert G5 TLS ECC SHA384 2021 CA1 (SHA384ECDSA) | DigiCert TLS RSA4096 Root G5 (SHA2-384) | The G5 root is not widely trusted and requires a cross-signed intermediate. |
Thawte Brand SSL
The default root for Thawte DV SSL is DigiCert Global Root G2.
Thawte EV SSL ICAs
| Intermediate | Root | Info |
| Thawte EV RSA CA G2 (SHA2-256) | DigiCert Global Root G2 (SHA2-256) | G2 root |
| Thawte TLS ECC CA G1 (SHA256ECDSA) | DigiCert Global Root G3 (SHA384ECDSA) | G3 root |
| Thawte EV ECC CA 2018 (SHA2-256) | DigiCert High Assurance EV Root CA (SHA1) | NOT RECOMMENDED: This root will be removed from trust stores on April 14, 2026 |
| Thawte EV ECC CA 2018 (SHA2-256) | DigiCert High Assurance EV Root CA (SHA1) | NOT RECOMMENDED: This root will be removed from trust stores on April 14, 2026 |
| Thawte G5 TLS RSA4096 SHA384 2022 CA1 (SHA2-384) | DigiCert TLS RSA4096 Root G5 | The G5 root is not widely trusted and requires a cross-signed intermediate. |
Thawte OV SSL ICAs
| Intermediate | Root | Info |
| Thawte TLS RSA CA G1 (SHA2-256) | DigiCert Global Root G2 (SHA2-256) | G2 root |
| Thawte TLS ECC CA G1 (SHA256ECDSA) | DigiCert Global Root G3 (SHA384ECDSA) | G3 root |
| Thawte RSA CA 2018 (SHA2-256) | DigiCert Global Root CA (SHA1) | NOT RECOMMENDED: This root will be removed from trust stores on April 14, 2026 |
| Thawte ECC CA 2018 (SHA2-256) | DigiCert Global Root CA (SHA1) | NOT RECOMMENDED: This root will be removed from trust stores on April 14, 2026 |
| Thawte G5 TLS RSA4096 SHA384 2022 CA1 (SHA2-384) | DigiCert TLS RSA4096 Root G5 (SHA2-384) | The G5 root is not widely trusted and requires a cross-signed intermediate. |
| Thawte G5 TLS ECC P-384 SHA384 2022 CA2 (SHA384ECDSA) | DigiCert TLS ECC P384 Root G5 (SHA384ECDSA) | The G5 root is not widely trusted and requires a cross-signed intermediate. |
GeoTrust Brand SSL
The default root for GeoTrust DV SSL is DigiCert Global Root G2.
GeoTrust EV SSL ICAs
| Intermediate | Root | |
| GeoTrust EV RSA CA G2 (SHA2-256) | DigiCert Global Root G2 (SHA2-256) | G2 root |
| GeoTrust TLS ECC CA G1 (SHA256ECDSA) | DigiCert Global Root G3 (SHA384ECDSA) | G3 root |
| GeoTrust EV RSA CA 2018 (SHA2-256) | DigiCert High Assurance EV Root CA (SHA1) | NOT RECOMMENDED: This root will be removed from trust stores on April 14, 2026 |
| GeoTrust EV ECC CA 2018 (SHA2-256) | DigiCert High Assurance EV Root CA (SHA1) | NOT RECOMMENDED: This root will be removed from trust stores on April 14, 2026 |
| GeoTrust G5 TLS RSA4096 SHA384 2022 CA1 (SHA2-384) | DigiCert TLS RSA4096 Root G5 (SHA2-384) | The G5 root is not widely trusted and requires a cross-signed intermediate. |
| GeoTrust G5 TLS ECC P-384 SHA384 2022 CA2 (SHA384ECDSA) | DigiCert TLS ECC P384 Root G5 (SHA384ECDSA) | The G5 root is not widely trusted and requires a cross-signed intermediate. |
GeoTrust OV SSL ICAs
| Intermediate | Root | |
| GeoTrust TLS RSA CA G1 (SHA2-256) | DigiCert Global Root G2 (SHA2) | G2 root |
| GeoTrust TLS ECC CA G1 (SHA2ECDSA) | DigiCert Global Root G3 (SHA384ECDSA) | G3 root |
| GeoTrust RSA CA 2018 (SHA2-256) | DigiCert Global Root CA (SHA1) | NOT RECOMMENDED: This root will be removed from trust stores on April 14, 2026 |
| GeoTrust ECC CA 2018 (SHA2-256) | DigiCert Global Root CA (SHA1) | NOT RECOMMENDED: This root will be removed from trust stores on April 14, 2026 |
| GeoTrust G5 TLS RSA4096 SHA384 2022 CA1 (SHA2-384) | DigiCert TLS RSA4096 Root 65 (SHA2-384) | The G5 root is not widely trusted and requires a cross-signed intermediate. |
| GeoTrust G5 TLS ECC P-384 SHA384 2022 CA2 (SHA384ECDSA) | DigiCert TLS ECC P384 Root G5 | The G5 root is not widely trusted and requires a cross-signed intermediate. |
RapidSSL
RapidSSL certificates are only available at the Domain Validation (DV) level and cannot adjust intermediate or roots from the default.
- RapidSSL default root: DigiCert Global Root G2
- RapidSSL default intermediate: RapidSSL TLS RSA CA G1