The IAS clients previously distributed to you include the DigiCert Global Root G1 certificate, which will be deprecated from April 15, 2026 (see the DigiCert Root & Intermediate CA Updates to learn more). To prevent trust failures after this date, IAS is transitioning to the DigiCert Global Root G2 certificate.

🚧

Mind the deadline!

To maintain secure connectivity, you must add the new G2 Root CA to your IAS clients by January 31, 2026.

This release introduces an in-place rotation process that appends the G2 certificate to the existing roots.pem file, while keeping the G1 certificate for backward compatibility.

The following sections provide a checklist, prerequisites, and step-by-step instructions to help you complete the rotation safely and without service interruption.

Overview

The table below provides a high-level overview of the steps required to ensure that your IAS deployment includes the new DigiCert Global Root G2 certificate. Each step summarizes the action, its purpose, and the completion criteria to help you plan the rotation before moving on to the detailed procedure.

See the sections below for the detailed instructions on how to complete each step.

Prerequisites

Before performing the certificate rotation, ensure that the following prerequisites are met:

1. Access – You have administrative (sudo) and SSH access to the IAS server.
2. Certificate Availability – The DigiCert Global Root G2 certificate file is available for deployment. Make sure that you:
   1. Go to the Media Services Live 4 section in Download Center
   2. Expand the Ingest Acceleration Service G2 Root CA menu.
   3. Click DigiCertGlobalRootG2.crt.pem to download the certificate.
   4. Save it to a secure location accessible from your IAS host.
3. Backup – A backup of the existing roots.pem file has been created before making any modifications.
   Example: cp /var/opt/akamai-ias/roots.pem /var/opt/akamai-ias/roots.pem.bak
4. Hash Verification – The certificate’s SHA-256 fingerprint has been verified and matches the expected value: CB:3C:CB:B7:60:31:E5:E0:13:8F:8D:D3:9A:23:F9:DE:47:FF:C3:5E:43:C1:14:4C:EA:27:D4:6A:5A:B1:CB:5F

How to add the new G2 certificate

To add your certificate, follow the steps below in your preferred command-line environment (for example, Terminal, PowerShell, or a similar shell). Adjust the commands as needed for your operating system.

1. Connect to the IAS Server. Replace <user> and <hostname-or-IP> with your actual credentials or server details: ssh -A <user>@<hostname-or-IP>

2. Navigate to the Certificate Directory: cd /var/opt/akamai-ias/

3. In the Certificate Directory:

   1. Confirm that the roots.pem file exists: ls -l roots.pem
   2. Backup the file before making any changes by either:
      • cp roots.pem roots.pem.bak, or
      • cp roots.pem roots.pem.bak_$(date +%Y%m%d)

4. Edit the Root Certificate File

   1. Open the file in vi: vi roots.pem

   2. Press Shift + G to jump to the bottom of the file.

   3. Press ‘o’ to insert a new line below the last certificate.

   4. Paste the following content exactly as shown below, including the comment and blank line at the end.

      # DigiCert Global Root G2
      -----BEGIN CERTIFICATE-----
      MIIDjjCCAnagAwIBAgIQAzrx5qcRqaC7KGSxHQn65TANBgkqhkiG9w0BAQsFADBh
      MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
      d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBH
      MjAeFw0xMzA4MDExMjAwMDBaFw0zODAxMTUxMjAwMDBaMGExCzAJBgNVBAYTAlVT
      MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
      b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IEcyMIIBIjANBgkqhkiG
      9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuzfNNNx7a8myaJCtSnX/RrohCgiN9RlUyfuI
      2/Ou8jqJkTx65qsGGmvPrC3oXgkkRLpimn7Wo6h+4FR1IAWsULecYxpsMNzaHxmx
      1x7e/dfgy5SDN67sH0NO3Xss0r0upS/kqbitOtSZpLYl6ZtrAGCSYP9PIUkY92eQ
      q2EGnI/yuum06ZIya7XzV+hdG82MHauVBJVJ8zUtluNJbd134/tJS7SsVQepj5Wz
      tCO7TG1F8PapspUwtP1MVYwnSlcUfIKdzXOS0xZKBgyMUNGPHgm+F6HmIcr9g+UQ
      vIOlCsRnKPZzFBQ9RnbDhxSJITRNrw9FDKZJobq7nMWxM4MphQIDAQABo0IwQDAP
      BgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQUTiJUIBiV
      5uNu5g/6+rkS7QYXjzkwDQYJKoZIhvcNAQELBQADggEBAGBnKJRvDkhj6zHd6mcY
      1Yl9PMWLSn/pvtsrF9+wX3N3KjITOYFnQoQj8kVnNeyIv/iPsGEMNKSuIEyExtv4
      NeF22d+mQrvHRAiGfzZ0JFrabA0UWTW98kndth/Jsw1HKj2ZL7tcu7XUIOGZX1NG
      Fdtom/DzMNU+MeKNhJ7jitralj41E6Vf8PlwUHBHQRFXGU7Aj64GxJUTFy8bJZ91
      8rGOmaFvE7FBcf6IKshPECBV1/MUReXgRPTqh5Uykw7+U0b6LJ3/iyK5S9kJRaTe
      pLiaWN0bfVKfjllDiIGknibVb63dDcY3fe0Dkhvld1927jyNxF1WW6LZZm6zNTfl
      MrY=
      -----END CERTIFICATE-----
      
      
      

      
      

   📘

   Make sure to follow the guidelines

   • The comment line (# DigiCert Global Root G2) helps future maintainers easily identify this certificate.
   • Ensure one blank line separates this new certificate from the previous one.
   • Maintain correct PEM formatting, that is each certificate block must start with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE----- with no extra spaces.
   • Do not alter or remove existing certificate entries.

5. To save your changes and exit, in vi:

   1. press Esc,
   2. type :wq!
   3. press Enter.

6. Verify the updated file:

   1. Verify that OpenSSL can read the PEM structure:
      1. Use a simple command that checks the full bundle and lists all certificate subjects: openssl crl2pkcs7 -nocrl -certfile roots.pem | openssl pkcs7 -print_certs -noout
      2. The expected outcome is that you should see an output listing the subjects of all certificates in the file. This confirms that OpenSSL can parse all certificates and your new root is included, for example:
         • subject=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
         • issuer=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2, etc.
   2. Check PEM formatting
      1. Make sure each certificate has a matching pair of BEGIN and END lines:
         grep -E "BEGIN CERTIFICATE|END CERTIFICATE" roots.pem
      2. The expected output is that the number of BEGIN and END lines should match. This ensures the file is properly formatted:
         -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- ...
   3. Validate syntax using OpenSSL
      1. Check that OpenSSL can parse the full bundle:
         openssl verify -CAfile roots.pem roots.pem
      2. The expected output is the following:
         roots.pem: OK

         📘

         Some self-signed root certificates may generate a self-signed warning. This is normal and can be ignored.

   4. Confirm new line at end of file
      1. Check the last few lines to ensure the file ends cleanly: tail -n 5 roots.pem
      2. Ensure the file ends with a single new line to prevent parsing issues. If the last line is -----END CERTIFICATE----- with no blank line below it, add one: sed -i -e '$a\' roots.pem

7. Restart the IAS Service

   1. Once validation is successful, restart IAS: sudo systemctl restart akamai-ias
   2. Confirm service status: sudo systemctl status akamai-ias
   3. You should now see: active (running)

Validation

After restarting the IAS service, verify that the certificate addition completed successfully.
The table below lists the validation steps and the expected outcomes, including information that the new DigiCert Global Root G2 certificate has been loaded

Example: verifying G2 entry in log file

Each certificate block included in roots.pem begins with a descriptive header line.
To confirm the IAS service has loaded the new G2 certificate, search the latest log file for the corresponding header:

cd /var/log/akamai-ias/ ls -ltr log_NORMAL_pmiaspm* grep -A2 "DigiCert Global Root G2" log_NORMAL_pmiaspm_<latest>.log

Expected output:

# DigiCert Global Root G2
-----BEGIN CERTIFICATE-----
MIIDjjCCAnagAwIBAgIQAzrx5qcRqaC7KGSxHQn65TANBgkqhkiG9w0BAQsFADBh
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBH
MjAeFw0xMzA4MDExMjAwMDBaFw0zODAxMTUxMjAwMDBaMGExCzAJBgNVBAYTAlVT
MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IEcyMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuzfNNNx7a8myaJCtSnX/RrohCgiN9RlUyfuI
2/Ou8jqJkTx65qsGGmvPrC3oXgkkRLpimn7Wo6h+4FR1IAWsULecYxpsMNzaHxmx
1x7e/dfgy5SDN67sH0NO3Xss0r0upS/kqbitOtSZpLYl6ZtrAGCSYP9PIUkY92eQ
q2EGnI/yuum06ZIya7XzV+hdG82MHauVBJVJ8zUtluNJbd134/tJS7SsVQepj5Wz
tCO7TG1F8PapspUwtP1MVYwnSlcUfIKdzXOS0xZKBgyMUNGPHgm+F6HmIcr9g+UQ
vIOlCsRnKPZzFBQ9RnbDhxSJITRNrw9FDKZJobq7nMWxM4MphQIDAQABo0IwQDAP
BgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQUTiJUIBiV
5uNu5g/6+rkS7QYXjzkwDQYJKoZIhvcNAQELBQADggEBAGBnKJRvDkhj6zHd6mcY
1Yl9PMWLSn/pvtsrF9+wX3N3KjITOYFnQoQj8kVnNeyIv/iPsGEMNKSuIEyExtv4
NeF22d+mQrvHRAiGfzZ0JFrabA0UWTW98kndth/Jsw1HKj2ZL7tcu7XUIOGZX1NG
Fdtom/DzMNU+MeKNhJ7jitralj41E6Vf8PlwUHBHQRFXGU7Aj64GxJUTFy8bJZ91
8rGOmaFvE7FBcf6IKshPECBV1/MUReXgRPTqh5Uykw7+U0b6LJ3/iyK5S9kJRaTe
pLiaWN0bfVKfjllDiIGknibVb63dDcY3fe0Dkhvld1927jyNxF1WW6LZZm6zNTfl
MrY=
-----END CERTIFICATE-----

If the expected output appears, the new G2 root certificate has been successfully added and recognized by IAS.