Upcoming Changes to TLS Roots and Certificate Profiles
Jul 11, 2025
Upcoming Changes to TLS Roots and Certificate Profiles
|
OVERVIEW: This page contains upcoming changes and updates to GlobalSign TLS Roots and Certificate profiles. This page will be revised regularly to reflect new updates. We recommend you to bookmark or revisit this for the latest changes and developments. For the list of GlobalSign Root Certificates, please refer to this page. |
Summary of Changes
Mozilla and Chrome have announced changes that necessitate changes to the Root Certificates GlobalSign uses and to the TLS certificate profiles for publicly trusted TLS certificate offerings. This article describes the source of these new requirements and our timeline for complying with them.
Announcements
-
Mozilla announcement on removing roots that are more than 15 years old.
-
Mozilla Root Store Policy.
-
Chrome Root Program Policy.
-
CAB Forum Ballot SC-81 to reduce the maximum validity period starting in March 2026 to 200 days.
Chrome and Mozilla Timeline for Removing Trust Based on Age of the Root
Both Chrome and Mozilla have announced their plans to remove the TLS older roots from being trusted based on the dates when the roots were created.
| Key Material Created | Removal of Root for TLS use | Applicable GlobalSign Roots |
|---|---|---|
| Before 2006 | April 15, 2025 | GlobalSign Root R1 – Issuance is currently disabled |
| 2006-2007 | April 15, 2026 | |
| 2008-2009 | April 15, 2027 | GlobalSign Root R3 – we must stop issuance of 200-day certificates by August 27, 2026 for them to be trusted by Mozilla and Chrome for their entire life |
| 2010-2011 | April 15, 2028 | |
| 2012- April 14, 2014 | April 15, 2029 | GlobalSign Root R5 (ECC) |
| April 15, 2014 - present | 15 years from creation | GlobalSign Root R6 |
Mozilla and Chrome Timeline for Moving to TLS Dedicated Roots
Both Chrome and Mozilla have set timelines for moving to TLS Dedicated roots. Currently the Roots in use by Globalsign (R3, R5, R6) are multi-purpose roots that are used for Secure Mail, Code Signing and other uses. In 2019 GlobalSign created two TLS dedicated roots, one with RSA keys, R46, and the other with ECC keys, E46. For the list of GlobalSign Root Certificates, please refer to this page.
The most stringent requirements come from the Chrome Root Program Policy which, based on our issuance plans, will have the SCTNotAfter constraint set on all GlobalSign multi-purpose roots 90 days from June 15, 2026. This means that all certificates issued under any of the GlobalSIgn Muli-purpose roots prior to September 13, 2026 will be trusted for their full validity period, and any certificates issued after this date will not be trusted.
Chrome TLS Certificate Profile Changes
In addition to the Roots being removed and/or the SCTNotAfter constraint being applied, Chrome has specified that TLS certificates issued under TLS dedicated roots must contain only the ServerAuth Extended Key Usage (EKU). This means that all other EKUs, which include the commonly used ClientAuth EKU, will no longer be possible under TLS dedicated roots.
Summary
Given all the references above, GlobalSIgn will continue to issue TLS certificates with ServerAuth and ClientAuth EKUs that will be trusted for their entire 200-day validity under our multi-purpose roots until August 2026; however, we intend to make the transition before this to avoid any unforeseen last-minute challenges. A more detailed plan follows:
For Atlas Customers:
-
Starting with the 2025 Q3 CA rotation (July 8, 2025, per our schedule posted here), a new set of CAs under our TLS dedicated roots will be created and available for optional use.
Customers that want to test against TLS certificates issued from the TLS Dedicated roots may do so by using the test links available on the GlobalSign Root Certificate support article under the applicable root.
-
In 2026 Q3, all TLS issuances will be moved to the TLS dedicated roots. We will supply R3-R46 and R5-E46 cross certificates which will provide browsers and applications with a chain back to R3 and R5 for the best ubiquity.
For Atlas customers that don’t necessarily need browser support, we highly recommend using our IntranetSSL offering which permits longer certificate validity, longer domain reuse, no CAA checks, and additional privacy since certificates are not posted to CT logs.
For GCC Customers:
-
In 2025 Q4, a new set of MSSL OV/EV CAs will be created for optional use. All issuance will be moved in 2026 Q3.
-
On July 27, 2026, retail and partner products will be cut over to dedicated TLS roots CAs.
For our Enterprise customers that don’t necessarily need browser support, we highly recommend using our IntranetSSL offering which permits longer certificate validity, longer domain reuse, no CAA checks, and additional privacy since certificates are not posted to CT logs.
Products Impacted:
-
TLS: DV, OV, EV
-
MSSL: OV, EV
SSL Configuration Test
Check your certificate installation for SSL issues and vulnerabilities.