This article will go over the Intermediate and Root Changes for SSL Products (DomainSSL, OrganizationSSL, ExtendedSSL, and Managed SSL).
|May 27, 2019||GlobalSign will be using new signing Intermediate Certificates for some of our SSL Products as listed below.|
Starting from the 27th of May 2019, we are migrating some of our SSL Products over to the Root R3 and the Root R5 as part of our CA life cycle management and in order to address SHA-1 Root concerns.
We are changing from using a CA that chains to our older Root R1 that is SHA-1, to our Root R3 that is SHA-256. This Root R3 has been in use for several years issuing our ExtendedSSL Certificates and now we are moving our DomainSSL issuance to this Root. This new CA under Root R3 will be used to sign both RSA and ECC Certificates.
For your reference, you can check the DomainSSL Intermediate Certificates support article which is found here.
We are changing from using a CA that chains to Root R1, to CAs that chain to Root R3 and Root R5. All requests for RSA Certificates will be issued under a new RSA CA under Root R3 while all requests for ECC Certificates will be issued under a new ECC CA under Root R5. The entire chain from SSL Certificate to the Root will be consistent with respect to the key type and signing algorithms (SHA256RSA and SHA384ECDSA).
For your reference, you can check the OrganizationSSL Intermediate Certificates support article which is found here.
Retail and Partner ExtendedSSL Certificates
The CA for our Retail and Partner ExtendedSSL Certificates will not change and will continue to chain to Root R3. This CA will continue to be used to sign both RSA and ECC Certificates.
Managed SSL ExtendedSSL Certificates
Our MSSL ExtendedSSL Certificates will continue to use the existing CA for RSA keys, but will use a new ECC CA that chains to Root R5 for ECC keys which permits a complete ECC chain.
In order to provide additional trust of the ECC Certificates issued under Root R5, you may want to use the R3-R5 Cross Certificate which can be used to chain Root R5 issued Certificates back to Root R3. This will assure that the ECC Certificates are trusted by the same clients as RSA issued Certificates.
For your reference, you can check the ExtendedSSL Intermediate Certificates support article which is found here.
To summarize, please check the table below.
|SSL Products||CSR Key Type||Before May 27, 2019||After May 27, 2019|
|CA Key Type||Root||CA Key Type||Root|
|DomainSSL||RSA and ECC||RSA||R1||RSA||R3|
|ExtendedSSL (Retail/Partner)||RSA and ECC||RSA||R3||No Change||No Change|
|RSA||RSA||R3||No Change||No Change|
Impact to Customers
- When installing new Certificates (including renewals and re-issuance) for the above products issued after the 27th of May 2019, please be sure to install the new CA Certificate on the web servers.
- In some cases, the web server may need to be configured with the GlobalSign R3-R5 Cross Certificate or possibly with Root R3 or Root R5 as part of the standard configuration process. For your reference, you can check the GlobalSign Cross Certificates support article which is found here.
- Certificates issued prior to the 27th of May 2019 will continue to work without any action.
1. DomainSSL Intermediate Certificates
2. OrganizationSSL Intermediate Certificates
3. ExtendedSSL Intermediate Certificates
4. GlobalSign Cross Certificates