Jun 23, 2025
Mozilla has announced their plans to start removing the TLS and Secure Mail trust bits from all of the older Roots in their root program. Mozilla will be removing website and S/MIME trust bits from Roots according to the following schedule:
Key Material Created | Removal of Websites Trust Bit | Removal of S/MIME Trust Bit |
---|---|---|
Before 2006 | April 15, 2025 | April 15, 2028 |
2006-2007 | April 15, 2026 | April 15, 2029 |
2008-2009 | April 15, 2027 | April 15, 2029 |
2010-2011 | April 15, 2028 | April 15, 2031 |
2012- April 14, 2014 | April 15, 2029 | April 15, 2032 |
April 15, 2014 - present | 15 years from creation | 18 years from creation |
Roots | TLS Stop Issuance | Mozilla Bit Removal |
---|---|---|
GlobalSign Root R1 | March 14, 2024 | April 15, 2025 |
GlobalSign Root R3 | March 15, 2026 | April 15, 2027 |
GlobalSign Root R5 (ECC) | March 15, 2028 | April 15, 2029 |
GlobalSign Root R6 | November 09, 2028 | December 10, 2029 |
The following products will be modified as part of disabling TLS issuance from Root R1:
Starting with the 2025 Q3 rotation (July 8, 2025, per our schedule posted here), a new set of CAs under our TLS dedicated roots for optional use will be created.
View sites secured with TLS certificates issued under our R46 and E46 TLS dedicated Roots here:
https://support.globalsign.com/ca-certificates/root-certificates/globalsign-root-certificates
In 2026 Q3, all issuance to the TLS dedicated roots will be moved. We will supply R3-R46 and R5-E46 cross certificates in providing browsers and applications with a chain back to R3 and R5 for the best ubiquity.
For customers that don’t necessarily need browser support, we highly recommend using our IntranetSSL offering which permits longer certificate validity, longer domain reuse, no CAA checks, and additional privacy since certificates are not posted to CT logs.
Check your certificate installation for SSL issues and vulnerabilities.