Share via

Query on certificate

Rising Flight 6,456 Reputation points
2026-01-30T15:10:23.3766667+00:00

Hi All,

I’m running an Exchange Server SE hybrid environment. All user mailboxes are created on-premises and migrated to Exchange Online. Our MX records point to an email gateway, so all external mail first hits the gateway and is then routed to Exchange Online.

I was reviewing the following Microsoft article:

https://techcommunity.microsoft.com/blog/exchange/trust-digicert-global-root-g2-certificate-authority-to-avoid-exchange-online-ema/4488311

I can see the certificate with thumbprint DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 present in the Trusted Root Certification Authorities store on our Exchange servers and endpoints.

However, I’m unsure: Whether this certificate is installed automatically via Windows Update, or If it was manually installed by someone on our team.

Additionally, we have a large number of internal relay applications hosted on various servers that send mail through on-premises Exchange. Do all application servers involved in SMTP relay need to trust the DigiCert Global Root G2 certificate, or is it only required on the Exchange servers? Also, is this certificate OS-specific? For example, is it present by default in Windows Server 2022 but not in Windows Server 2016?

Exchange | Hybrid management
Exchange | Hybrid management

The administration of a hybrid deployment that connects on-premises Exchange Server with Exchange Online, enabling seamless integration and centralized control.

0 comments

Answer accepted by question author

Teddie-D 16,885 Reputation points Microsoft External Staff Moderator
2026-01-31T02:54:54.9466667+00:00

Hi @Rising Flight 

Thank you for posting your question in the Microsoft Q&A forum. 

In almost all cases, this root certificate is installed automatically by Windows, not by Exchange and not by your admins. 

Windows devices participate in the Microsoft Trusted Root Certificate Program, which silently updates root certificates through: 

-Windows Update (when enabled). 

-Automatic Root Certificate Update mechanism built into Windows when a certificate chain is encountered.

When trust is required: 

-Servers relaying mail only inside your LAN to an on‑prem Exchange receive connector  

These do not need DigiCert Global Root G2. They only need to trust your on‑prem Exchange certificate, which they already do. 

-Servers using Direct Send via Exchange Online (MX = .mail.protection.outlook.com)  

These do need DigiCert Global Root G2, because they establish a TLS session directly with Exchange Online. 

-Servers using a smart host > Exchange on‑prem > Exchange Online   

The application server itself does not need DigiCert’s root. Only the hybrid Exchange servers that perform the TLS handshake with Exchange Online must trust it. 

DigiCert Global Root G2 is included in the Microsoft root store for: 

-Windows Server 2012 R2  

-Windows Server 2016  

-Windows Server 2019  

-Windows Server 2022  

-Windows 10 / 11  

As long as the OS can receive Microsoft’s root certificate updates, the DigiCert Global Root G2 certificate will be installed automatically regardless of Windows Server version.  

Manual import may be required only for: 

-Offline servers  

-Servers with "Do not automatically update root certificates" policy applied  

-Locked‑down servers in highly isolated networks  

Run the following on Exchange to confirm presence of DigiCert Global Root G2:

Get-ChildItem Cert:\LocalMachine\Root | Where-Object {$_.Thumbprint -eq "DF3C24F9BFD666761B268073FE06D1CC8D4F82A4"} 

If it appears in the Root store, Windows installed it automatically unless Group Policy prevented root updates. 

I hope this information is helpful. 

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".          

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.     

Was this answer helpful?

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Rising Flight 6,456 Reputation points
    2026-02-09T11:32:54.5633333+00:00

    i am unable to mark as answer

    Was this answer helpful?

  2. AI answer

    2026-01-30T15:10:37.29+00:00

    In a hybrid Exchange environment, the DigiCert Global Root G2 certificate is crucial for establishing trust between your on-premises Exchange servers and Exchange Online. Regarding your questions:

    1. Certificate Installation: Typically, certificates in the Trusted Root Certification Authorities store can be installed automatically via Windows Update, especially if they are widely recognized root certificates like the DigiCert Global Root G2. However, it's also possible that someone on your team manually installed it. To determine the installation method, you may need to check your update logs or consult with your team members.
    2. Trust Requirement for Application Servers: All application servers involved in SMTP relay should trust the DigiCert Global Root G2 certificate. This is necessary to ensure that any communication between these servers and the Exchange servers is secure and trusted. While the Exchange servers must definitely trust this certificate, it is advisable for all SMTP relay applications to do so as well.
    3. OS Specificity: The presence of the DigiCert Global Root G2 certificate can vary by operating system version. Generally, newer versions like Windows Server 2022 are likely to include a broader set of trusted root certificates by default compared to older versions like Windows Server 2016. It is recommended to check the specific certificate store on each server to confirm its presence.

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.