Part 6 of 6
A practical 2026 checklist for TLS certificate trust changes, DigiCert chain updates, automation, and monitoring.
Introduction
If you do not want all the background detail and only want the practical action plan, this is the post to save.
2026 is important for two reasons: some older DigiCert trust paths are losing browser trust, and certificate lifetimes are on a path toward becoming much shorter.
The checklist
Start by listing every public HTTPS service you manage. That includes websites, blogs, reverse proxies, APIs, dashboards, VPN portals, and mail-related TLS endpoints.
Next, inspect the live certificate chain for each service. Do not assume that a non-expired certificate means everything is fine.
Then check whether any system still depends on older DigiCert G1-rooted issuance before the April 15, 2026 distrust deadline. Also review whether any affected intermediate or cross-signed certificate components need action before the published May 15, 2026 revocation event.
After that, look for custom trust logic in your environment:
- pinned roots
- pinned intermediates
- bundled CA stores
- Java keystores
- container images
- mobile apps
- internal software that assumes a specific trust chain
Then move to renewal automation. If you still renew manually, start testing ACME-based renewal now.
Finally, add monitoring. At a minimum, monitor for:
- upcoming expiry
- failed renewals
- unexpected chain changes
- missing intermediates
- service reload failures after renewal
Closing thoughts
Certificates used to be something many admins could ignore until close to expiry. That is no longer a good strategy.
The safer approach now is clear: understand the chain, update old trust paths, automate renewal, and monitor the process properly.
Series complete.
No comments:
Post a Comment