Blog Post

Exchange Team Blog
6 MIN READ

Trust DigiCert Global Root G2 Certificate Authority to Avoid Exchange Online Email Disruption

The_Exchange_Team's avatar
The_Exchange_Team
Platinum Contributor
Jan 28, 2026
UPDATE 3/16/2026: We worked with the partner team to republish the Microsoft 365 Root Certificate Chain Bundles for Worldwide (WWMT) and GCC High / DoD (ITAR) after identifying that the previously pu...
Updated Mar 18, 2026
Version 13.0
announcements
exchange online
on premises
security
transport
chrlau80's avatar
chrlau80
Copper Contributor
Mar 17, 2026

Checked root cert on Exchange On-premise servers and all good.
Next tried to follow your guidance on intermediate as it was not installed.
Then downloaded the bundles "Microsoft 365 Root Certificate Chain Bundle - Worldwide" which was these two files "m365_root_certs_20220331.p7b" and "m365_root_certs_20260316.p7b"

I had no luck getting the Intermediate "DigiCert Global G2 TLS RSA SHA256 2020 CA1" seems to be not part of any of the two bundles. No one with that exact name!

I ended up importing from certlm GUI and it added multiple certs which was not added by using the certutil as described by you those results below:
So you are sure about the name?

Please recheck you guidance on intermediate and please correct it.

My tries on certutil method:
As you specify nothing I did try both via certutil and the one that I guess is newest according to name fails.

[PS] C:\Cert\Microsoft cert bundle>certutil -addstore Root .\m365_root_certs_20260316.p7b

Root "Trusted Root Certification Authorities"

Cannot add a non-root certificate to the root store

CertUtil: -addstore command FAILED: 0x8007000d (WIN32: 13 ERROR_INVALID_DATA)

CertUtil: The data is invalid.

The other one worked:

[PS] C:\Cert\Microsoft cert bundle>certutil -addstore Root .\m365_root_certs_20220331.p7b

Root "Trusted Root Certification Authorities"

Signature matches Public Key

Certificate "thawte Primary Root CA - G3" added to store.

Signature matches Public Key

Certificate "DigiCert Global Root G2" added to store.

Signature matches Public Key

Related Certificates:

 

Exact match:

Element 2:

Serial Number: 04000000000121585308a2

Issuer: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R3

NotBefore: 18-03-2009 11:00

NotAfter: 18-03-2029 11:00

Subject: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R3

Signature matches Public Key

Root Certificate: Subject matches Issuer

Cert Hash(sha1): d69b561148f01c77c54578c10926df5b856976ad

 

Certificate "GlobalSign" already in store.

Signature matches Public Key

Certificate "Baltimore CyberTrust Root" added to store.

Signature matches Public Key

Certificate "GlobalSign Root CA" added to store.

Signature matches Public Key

Certificate "DigiCert Global Root CA" added to store.

Signature matches Public Key

Certificate "D-TRUST Root Class 3 CA 2 EV 2009" added to store.

Signature matches Public Key

Certificate "Entrust Root Certification Authority - G2" added to store.

Signature matches Public Key

Certificate "CNNIC ROOT" added to store.

Signature matches Public Key

Certificate "DigiCert High Assurance EV Root CA" added to store.

Signature matches Public Key

Certificate "D-TRUST Root Class 3 CA 2 2009" added to store.

Signature matches Public Key

Certificate "Entrust.net Certification Authority (2048)" added to store.

Signature matches Public Key

Certificate "VeriSign Class 3 Public Primary Certification Authority - G5" added to store.

Signature matches Public Key

Certificate "ISRG Root X1" added to store.

CertUtil: -addstore command completed successfully

  • Nino_Bilic's avatar
    Nino_Bilic
    Icon for Microsoft rankMicrosoft
    Mar 17, 2026

    The bundle was updated yesterday; the new version of the bundle contains interim certs.

    • Claudius Rücker's avatar
      Claudius Rücker
      Copper Contributor
      Mar 18, 2026

      Ciao Nino_Bilic​,
      so we have to import the file m365_root_certs_20260316.p7b with this line:

      certutil -addstore CA "<PathToP7bFiles>\m365_root_certs_20260316.p7b"
      correct?
      Would be greate if the article would have a correct how to...

      Is this really the way Microsoft want to work with the customers? In an Enterprise Environment with a change process etc. and a lot of other work to do, 6 days to change something is way to short... 

      • chrlau80's avatar
        chrlau80
        Copper Contributor
        Mar 18, 2026

        Nino_Bilic​  Please confirm if the bundle mentioned is the correct one.
        Downloaded both and I did see one of them is old, but as no matches to info in this blog i imported both.
        Also as I wrote i had to open certlm and import manually, the command did not work.
        You should check and correct your blog info if what I see is same for all. Maybe because the new bundle contains intermediates then you cannot the certutil command -addstore root as there are not only Root certs in the bundle!?? 

        And confirm that we do only need to "think" of the one from 16/3-26 = m365_root_certs_20260316.p7b

        As you specify nothing I did try both via certutil and the one that I guess is newest according to name fails.

        [PS] C:\Cert\Microsoft cert bundle>certutil -addstore Root .\m365_root_certs_20260316.p7b

        Root "Trusted Root Certification Authorities"

        Cannot add a non-root certificate to the root store

        CertUtil: -addstore command FAILED: 0x8007000d (WIN32: 13 ERROR_INVALID_DATA)

        CertUtil: The data is invalid.