Removal of TLS trust bit from Roots R1 and R3 by Mozilla

Jun 23, 2025

Removal of TLS trust bit from Roots R1 and R3 by Mozilla

Mozilla Announcement

Mozilla has announced their plans to start removing the TLS and Secure Mail trust bits from all of the older Roots in their root program. Mozilla will be removing website and S/MIME trust bits from Roots according to the following schedule:

Key Material Created Removal of Websites Trust Bit Removal of S/MIME Trust Bit
Before 2006 April 15, 2025 April 15, 2028
2006-2007 April 15, 2026 April 15, 2029
2008-2009 April 15, 2027 April 15, 2029
2010-2011 April 15, 2028 April 15, 2031
2012- April 14, 2014 April 15, 2029 April 15, 2032
April 15, 2014 - present 15 years from creation 18 years from creation

How will this affect GlobalSign?

Roots TLS Stop Issuance Mozilla Bit Removal
GlobalSign Root R1 March 14, 2024 April 15, 2025
GlobalSign Root R3 March 15, 2026 April 15, 2027
GlobalSign Root R5 (ECC) March 15, 2028 April 15, 2029
GlobalSign Root R6 November 09, 2028 December 10, 2029

What's Changing?

The following products will be modified as part of disabling TLS issuance from Root R1:

For Atlas Customers:

  • Starting with the 2025 Q3 rotation (July 8, 2025, per our schedule posted here), a new set of CAs under our TLS dedicated roots for optional use will be created.

    View sites secured with TLS certificates issued under our R46 and E46 TLS dedicated Roots here: 
    https://support.globalsign.com/ca-certificates/root-certificates/globalsign-root-certificates

  • In 2026 Q3, all issuance to the TLS dedicated roots will be moved. We will supply R3-R46 and R5-E46 cross certificates in providing browsers and applications with a chain back to R3 and R5 for the best ubiquity.

For GCC Customers:

  • On July 27, 2026, retail and partner products will be cut over to dedicated TLS roots CAs.
  • In 2025 Q3, a new set of MSSL OV/EV CAs will be created for optional use will be created. All issuance will be moved in 2026 Q3.
     

For customers that don’t necessarily need browser support, we highly recommend using our IntranetSSL offering which permits longer certificate validity, longer domain reuse, no CAA checks, and additional privacy since certificates are not posted to CT logs.

Products Impacted:

  • TLS: DV, OV, EV
  • MSSL: OV, EV

GlobalSign System Alerts

View recent system alerts.

View Alerts

Atlas Discovery

Scan your endpoints to locate all of your Certificates.

Sign Up

SSL Configuration Test

Check your certificate installation for SSL issues and vulnerabilities.

Contact Support