GlobalSign SSL Products Intermediate and Root Migration

GlobalSign SSL Products Intermediate and Root Migration

Overview

As of May 2019, GlobalSign migrated some of its SSL/TLS products to Root R3 and Root R5 as part of our CA life cycle management process and to address SHA-1 Root concerns.

DomainSSL Certificates


All DomainSSL Certificates chain to our SHA-256 Root R3. Root R3 has been in use for several years issuing our ExtendedSSL Certificates, and now our DomainSSL issuance has been moved to this Root. The CA we created for this purpose will be used to sign both RSA and ECC Certificates. 

For your reference, you can check the DomainSSL Intermediate Certificates support article which is found here

OrganizationSSL Certificates


All OrganizationalSSL Certificates chain to our SHA-256 Root R3 and SHA-384 ECC Root R5. All requests for RSA Certificates will be issued under a new RSA CA under Root R3 while all requests for ECC Certificates will be issued under an ECC CA under Root R5. The entire chain from SSL Certificate to the Root will be consistent with respect to key type and signing algorithms (SHA256RSA and SHA384ECDSA). 

For your reference, you can check the OrganizationSSL Intermediate Certificates support article which is found here

Retail and Partner ExtendedSSL Certificates


The CA for our Retail and Partner ExtendedSSL Certificates continue to chain to Root R3. This CA will continue to be used to sign both RSA and ECC Certificates.  

Managed SSL ExtendedSSL Certificates


Our MSSL ExtendedSSL Certificates continue to use the existing ICA for RSA keys, but use a new ECC CA that chains to Root R5 for ECC keys which permits a complete ECC chain.

To provide additional trust of the ECC Certificates issued under Root R5, you may want to use the R3-R5 Cross Certificate which can be used to chain Root R5 issued Certificates back to Root R3. This will assure that the ECC Certificates are trusted by the same clients as RSA issued Certificates. 

For your reference, you can check the ExtendedSSL Intermediate Certificates support article which is found here.

 

GlobalSign SSL Products, Key Types, and Roots 

 

SSL Products CSR Key Type Before May 27, 2019 After May 27, 2019
CA Key Type Root CA Key Type Root
DomainSSL RSA and ECC RSA R1 RSA R3
OrganizationSSL
(Retail/Partner, MSSL)
RSA RSA R1 RSA R3
ECC RSA R1 ECC R5
ExtendedSSL (Retail/Partner) RSA and ECC RSA R3 No Change No Change
ExtendedSSL
(MSSL)
RSA RSA R3 No Change No Change
ECC RSA R3 ECC R5

 

Please note that in some cases, the web server may need to be configured with the GlobalSign R3-R5 Cross Certificate or possibly with Root R3 or Root R5 as part of the standard configuration process. For your reference, you can check the GlobalSign Cross Certificates support article which is found here.

 

Sources


1. DomainSSL Intermediate Certificates
2. OrganizationSSL Intermediate Certificates
3. ​ExtendedSSL Intermediate Certificates
4. GlobalSign Cross Certificates

Related Articles

GlobalSign System Alerts

View recent system alerts.

View Alerts

Certificate Inventory Tool

Please click the button below to log in or sign up.

Log In - Sign Up

SSL Configuration Test

Check your certificate installation for SSL issues and vulnerabilities.