OSS root certificate upgrade: April 2026

更新时间:
复制 MD 格式

Background

In early 2023, Mozilla announced a new root certificate trust policy: root certificates used for server identity verification are no longer trusted if they were issued more than 15 years ago. Google Chrome added a further restriction — it no longer trusts root certificates with multiple Extended Key Usage (EKU) purposes. As a result, websites using older GlobalSign root certificates (R1, R3, R5, or R6) will eventually show security warnings or become inaccessible in these browsers.

OSS currently uses HTTPS certificates issued under the GlobalSign Root R3 root certificate. Starting June 15, 2026, OSS will issue all new and renewed certificates under the new GlobalSign Root R46 root.

Important

To maximize compatibility during the transition, the new certificates will remain cross-signed with GlobalSign Root R1 until January 28, 2027. However, R1 expires on January 28, 2028. If your clients do not yet trust R46, update their trust stores before January 28, 2027.

Note: This is an industry-wide Certificate Authority (CA) certificate upgrade, not specific to Alibaba Group.

Date

Event

June 15, 2026

OSS begins issuing new and renewed certificates from GlobalSign Root R46

January 28, 2027

Cross-signing with GlobalSign Root R1 ends — clients that don't trust R46 will fail

January 28, 2028

GlobalSign Root R1 expires

Affected environments

Most modern operating systems and browsers already trust GlobalSign root certificates and will not be affected. Your environment is likely affected if any of the following is true:

  • You manage clients, backend services, or hardware devices with custom or restricted trust stores that include only GlobalSign Root R3 (or a specific intermediate certificate) and do not yet include Root R46.

  • Your application uses certificate pinning — it explicitly checks for a specific certificate thumbprint, subject distinguished name (DN), common name, serial number, or public key. If the pin targets a certificate that chains to R3, SSL validation will fail once R46 certificates are deployed.

Recommended actions

Complete these steps before January 28, 2027.

  • Update your trust store. If you manage clients, hardware devices, or backend services that access OSS domains, ensure that their trust stores include the GlobalSign Root R46 certificate.

  • Stop certificate pinning. Certificate pinning causes validation failures during necessary root certificate rotations. Remove any pins tied to GlobalSign Root R3 or its intermediate certificates. If your security policy requires pinning, update your pin sets to accept GlobalSign Root R46 and any of its subordinate (intermediate) CAs so future certificate rotations do not disrupt your service.

Verify the R46 root certificate

Access your test OSS environment from your client. A successful response confirms that SSL validation passed. If the SSL connection fails, install the new root certificate on your client by following Install a root certificate in the operating system.

The complete list of GlobalSign root certificates is available at: https://support.globalsign.com/ca-certificates/root-certificates/globalsign-root-certificates

  • Check whether GlobalSign Root CA - R46 (Subject) is in your trusted root certificate store. If not, add it.

  • Strongly recommended: Add the full GlobalSign root certificate bundle to your trust store to cover all current and future roots:

    GlobalSign root certificate list.zip

Related information

Mozilla's updated root certificate trust policy

In early 2023, Mozilla announced that root certificates used for server identity verification will no longer be trusted after 15 years. Details: https://wiki.mozilla.org/CA/Root_CA_Lifecycles

Google's announcement: https://googlechrome.github.io/chromerootprogram/policy-archive/policy-version-1-5/

GlobalSign's root certificate upgrade

Because of Mozilla's policy, some GlobalSign root certificates lost trust before their expiration dates and must be deprecated early. In December 2023, GlobalSign announced the upgrade: https://support.globalsign.com/ssl/upcoming-changes-tls-roots-and-certificate-profiles

Chrome EKU restrictions

The extensions field in a certificate describes its usage constraints. Extended Key Usage (EKU) defines the certificate's purpose — for example, serverAuth, clientAuth, codeSigning, emailProtection, or macAddress.

X509v3 extensions:
    X509v3 Key Usage: critical
        Digital Signature, Certificate Sign, CRL Sign
    X509v3 Extended Key Usage:
        TLS Web Server Authentication, TLS Web Client Authentication
    X509v3 Basic Constraints: critical
        CA:TRUE, pathlen:0
    Authority Information Access:
        OCSP - URI:http://ocsp2.globalsign.com/rootr6
        CA Issuers - URI:http://secure.globalsign.com/cacert/root-r6.crt
    X509v3 CRL Distribution Points:
        Full Name:
          URI:http://crl.globalsign.com/root-r6.crl

Starting June 15, 2026, Chrome will restrict all CAs in its root store. It will no longer trust CAs if their certificates lack a specified EKU or include Public Key Infrastructure (PKI) purposes beyond TLS — such as client authentication, secure email, or digital signatures.