We would like to inform you about an upcoming change to the TLS certificates used by the WithSecure GUTS2 Server (definition update backend), planned for May 19, 2026.
We are transitioning from DigiCert to Let’s Encrypt certificates. This update aligns our backend infrastructure with our existing services, where Let’s Encrypt is already in use, and helps us streamline certificate management while maintaining industry‑standard security practices.
What does this mean for you?
- No changes are expected for the majority of environments.
- The change will be transparent if your system trusts the ISRG Root X1 certificate (the root certificate used by Let’s Encrypt).
Common environments where no action is required:
- Windows systems with Windows Update enabled
- Environments where automatic root certificate updates are allowed (not restricted by GPO / MDM policies)
- Systems where ISRG Root X1 is not explicitly removed or blocked
When action may be needed:
- Systems with restricted certificate updates
- Environments with custom trust stores
- Devices where ISRG Root X1 is missing or not trusted
In such cases, please ensure that the ISRG Root X1 root certificate is present in your trust store.
WithSecure products currently require the following root certificates for TLS communication to WithSecure backends, therefore must be present on all machines, across all Operating Systems:
- Amazon Root CA 1
- Amazon Root CA 2
- Amazon Root CA 3
- Amazon Root CA 4
- Starfield Class 2 Certification
- Starfield Services Root Certificate Authority – G2
- DigiCert Global Root CA
- ISRG Root X1
- ISRG Root X2
All of these are included in the default trust stores of modern, up-to-date operating systems and should not require manual installation in the majority of deployments.