Atlas TLS ICA Rotations - 2021

Atlas TLS ICA Rotations - 2021

Introduction

GlobalSign will start rotating our Atlas TLS CAs on a scheduled basis to promote good ecosystem security and agility. Historically, we have set up CAs and used them for many years, but there are many reasons to reduce this time interval. By reducing the length of time CAs are used, we achieve the following benefits:

  • We limit the number of certificates issued by a single CA and it's corresponding private key which limits impact if there is an integrity, compliance or security issue with the CA.
  • We reduce the size of CRLs which increases validation performance.
  • We train our customer base to expect and plan for immediate CA replacements which increases crypto agility.

Our final plan will have all GlobalSign Atlas TLS CAs rotated every quarter and all Customer dedicated Atlas TLS CAs rotated yearly.

  • The first GlobalSign Atlas TLS CA rotation for 2021 will take place on July 13, 2021.
  • Starting in 2022 we will update GlobalSign Atlas TLS CAs every quarter, on the second Monday of the quarter and we will update Customer dedicated Atlas TLS CAs yearly in January.

Impact and recommendations:

  • Customers should always be prepared to accept new CAs when installing new TLS certificates. The issuing CA is available in the API and should be used when downloading the certificate so that the current CA is always provisioned with the issued certificate.  
  • Customers MUST not do public key pinning to CA certificates, and we highly discourage public key pinning at all, as that defeats the purpose of crypto agility.
  • We encourage customers to follow agile practices for Issuing CAs and always download and install the provided ICA when obtaining new certificates.
  • Please subscribe to GlobalSign's Status page for important updates here - https://status.globalsign.com/
Atlas TLS Product Type New CA Name Link to new CAs that will be used effective July 13, 2021
Atlas Domain Validated TLS GlobalSign Atlas R3 DV TLS CA 2020-12 http://secure.globalsign.com/cacert/gsatlasr3dvtlsca202012.crt
Atlas Organization Validated TLS GlobalSign Atlas R3 OV TLS CA 2020-12 http://secure.globalsign.com/cacert/gsatlasr3ovtlsca202012.crt
Atlas Domain Validated TLS - ECC Keys GlobalSign Atlas ECCR5 DV TLS CA 2020-12 http://secure.globalsign.com/cacert/gsatlaseccr5dvtlsca202012.crt
Atlas Organization Validated TLS - ECC Keys GlobalSign Atlas ECCR5 OV TLS CA 2020-12 http://secure.globalsign.com/cacert/gsatlaseccr5ovtlsca202012.crt

GlobalSign System Alerts

View recent system alerts.

View Alerts

Certificate Inventory Tool

Scan your endpoints to locate all of your Certificates.

Log In / Sign Up

SSL Configuration Test

Check your certificate installation for SSL issues and vulnerabilities.