Background
In early 2023, Mozilla announced a new root certificate trust policy: root certificates used for server identity verification are no longer trusted if they were issued more than 15 years ago. Google Chrome added a further restriction — it no longer trusts root certificates with multiple Extended Key Usage (EKU) purposes. As a result, websites using older GlobalSign root certificates (R1, R3, R5, or R6) will eventually show security warnings or become inaccessible in these browsers.
OSS currently uses HTTPS certificates issued under the GlobalSign Root R3 root certificate. Starting June 15, 2026, OSS will issue all new and renewed certificates under the new GlobalSign Root R46 root.
To maximize compatibility during the transition, the new certificates will remain cross-signed with GlobalSign Root R1 until January 28, 2027. However, R1 expires on January 28, 2028. If your clients do not yet trust R46, update their trust stores before January 28, 2027.
Note: This is an industry-wide Certificate Authority (CA) certificate upgrade, not specific to Alibaba Group.
|
Date |
Event |
|
June 15, 2026 |
OSS begins issuing new and renewed certificates from GlobalSign Root R46 |
|
January 28, 2027 |
Cross-signing with GlobalSign Root R1 ends — clients that don't trust R46 will fail |
|
January 28, 2028 |
GlobalSign Root R1 expires |
Affected environments
Most modern operating systems and browsers already trust GlobalSign root certificates and will not be affected. Your environment is likely affected if any of the following is true:
You manage clients, backend services, or hardware devices with custom or restricted trust stores that include only GlobalSign Root R3 (or a specific intermediate certificate) and do not yet include Root R46.
Your application uses certificate pinning — it explicitly checks for a specific certificate thumbprint, subject distinguished name (DN), common name, serial number, or public key. If the pin targets a certificate that chains to R3, SSL validation will fail once R46 certificates are deployed.
Recommended actions
Complete these steps before January 28, 2027.
Update your trust store. If you manage clients, hardware devices, or backend services that access OSS domains, ensure that their trust stores include the GlobalSign Root R46 certificate.
Stop certificate pinning. Certificate pinning causes validation failures during necessary root certificate rotations. Remove any pins tied to GlobalSign Root R3 or its intermediate certificates. If your security policy requires pinning, update your pin sets to accept GlobalSign Root R46 and any of its subordinate (intermediate) CAs so future certificate rotations do not disrupt your service.
Verify the R46 root certificate
Access your test OSS environment from your client. A successful response confirms that SSL validation passed. If the SSL connection fails, install the new root certificate on your client by following Install a root certificate in the operating system.
The complete list of GlobalSign root certificates is available at: https://support.globalsign.com/ca-certificates/root-certificates/globalsign-root-certificates
Check whether GlobalSign Root CA - R46 (Subject) is in your trusted root certificate store. If not, add it.
-
Strongly recommended: Add the full GlobalSign root certificate bundle to your trust store to cover all current and future roots:
Related information
Mozilla's updated root certificate trust policy
In early 2023, Mozilla announced that root certificates used for server identity verification will no longer be trusted after 15 years. Details: https://wiki.mozilla.org/CA/Root_CA_Lifecycles
Google's announcement: https://googlechrome.github.io/chromerootprogram/policy-archive/policy-version-1-5/
GlobalSign's root certificate upgrade
Because of Mozilla's policy, some GlobalSign root certificates lost trust before their expiration dates and must be deprecated early. In December 2023, GlobalSign announced the upgrade: https://support.globalsign.com/ssl/upcoming-changes-tls-roots-and-certificate-profiles
Chrome EKU restrictions
The extensions field in a certificate describes its usage constraints. Extended Key Usage (EKU) defines the certificate's purpose — for example, serverAuth, clientAuth, codeSigning, emailProtection, or macAddress.
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
Authority Information Access:
OCSP - URI:http://ocsp2.globalsign.com/rootr6
CA Issuers - URI:http://secure.globalsign.com/cacert/root-r6.crt
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.globalsign.com/root-r6.crl
Starting June 15, 2026, Chrome will restrict all CAs in its root store. It will no longer trust CAs if their certificates lack a specified EKU or include Public Key Infrastructure (PKI) purposes beyond TLS — such as client authentication, secure email, or digital signatures.
Google's announcement: https://googlechrome.github.io/chromerootprogram/ (see section 1.3.2)
EKU changes: https://www.cfca.com.cn/20251009/200001105.html