Overview

On April 5, 2023, the root certificate authority (CA) and intermediate certificate authority (ICA) used to sign Datadog certificates changed from:

43:48:A0:E9:44:4C:78:CB:26:5E:05:8D:5E:89:44:B4:D8:4F:96:62:BD:26:DB:25:7F:89:34:A4:43:C7:01:61

52:27:4C:57:CE:4D:EE:3B:49:DB:7A:7F:F7:08:C0:40:F7:71:89:8B:3B:E8:87:25:A8:6F:B4:43:01:82:FE:14

to:

CB:3C:CB:B7:60:31:E5:E0:13:8F:8D:D3:9A:23:F9:DE:47:FF:C3:5E:43:C1:14:4C:EA:27:D4:6A:5A:B1:CB:5F

C8:02:5F:9F:C6:5F:DF:C9:5B:3C:A8:CC:78:67:B9:A5:87:B5:27:79:73:95:79:17:46:3F:C8:13:D0:B6:25:A9

Affected domains

Datadog has already started deploying certificates signed by the new DigiCert G2 root CA on web properties. Eventually all Datadog domains will be signed by this new certificate.

Action needed

Most Datadog customers do not need to do anything. The DigiCert G2 root certificate was added to the ca-certificates package used by most Linux distributions in 2014.

If you are pinning part or all of the certificate chain for specific Datadog domains, or use an Agent Proxy Configuration with an outdated CA trust store, you might encounter certificate validation errors as Datadog switches to the G2 root certificate. Pinning specific certificates for Datadog endpoints is not recommended.

You can test your configuration by attempting to connect to https://global-root-g2.chain-demos.digicert.com. If you do not encounter certificate validation errors, your configuration trusts the new G2 root certificate and you can connect to Datadog sites signed by the G2 root certificate.

If you need to manually add the new root and ICA, you can download the DigiCert Trusted Root Authority Certificates from the DigiCert website.