Removal of TLS trust bit from Roots R1 and R3 by Mozilla
Jun 23, 2025
Removal of TLS trust bit from Roots R1 and R3 by Mozilla
Mozilla Announcement
Mozilla has announced their plans to start removing the TLS and Secure Mail trust bits from all of the older Roots in their root program. Mozilla will be removing website and S/MIME trust bits from Roots according to the following schedule:
| Key Material Created | Removal of Websites Trust Bit | Removal of S/MIME Trust Bit |
|---|---|---|
| Before 2006 | April 15, 2025 | April 15, 2028 |
| 2006-2007 | April 15, 2026 | April 15, 2029 |
| 2008-2009 | April 15, 2027 | April 15, 2029 |
| 2010-2011 | April 15, 2028 | April 15, 2031 |
| 2012- April 14, 2014 | April 15, 2029 | April 15, 2032 |
| April 15, 2014 - present | 15 years from creation | 18 years from creation |
How will this affect GlobalSign?
| Roots | TLS Stop Issuance | Mozilla Bit Removal |
|---|---|---|
| GlobalSign Root R1 | March 14, 2024 | April 15, 2025 |
| GlobalSign Root R3 | March 15, 2026 | April 15, 2027 |
| GlobalSign Root R5 (ECC) | March 15, 2028 | April 15, 2029 |
| GlobalSign Root R6 | November 09, 2028 | December 10, 2029 |
What's Changing?
The following products will be modified as part of disabling TLS issuance from Root R1:
For Atlas Customers:
-
Starting with the 2025 Q3 rotation (July 8, 2025, per our schedule posted here), a new set of CAs under our TLS dedicated roots for optional use will be created.
View sites secured with TLS certificates issued under our R46 and E46 TLS dedicated Roots here:
https://support.globalsign.com/ca-certificates/root-certificates/globalsign-root-certificates -
In 2026 Q3, all issuance to the TLS dedicated roots will be moved. We will supply R3-R46 and R5-E46 cross certificates in providing browsers and applications with a chain back to R3 and R5 for the best ubiquity.
For GCC Customers:
- On July 27, 2026, retail and partner products will be cut over to dedicated TLS roots CAs.
- In 2025 Q3, a new set of MSSL OV/EV CAs will be created for optional use will be created. All issuance will be moved in 2026 Q3.
For customers that don’t necessarily need browser support, we highly recommend using our IntranetSSL offering which permits longer certificate validity, longer domain reuse, no CAA checks, and additional privacy since certificates are not posted to CT logs.
Products Impacted:
- TLS: DV, OV, EV
- MSSL: OV, EV
SSL Configuration Test
Check your certificate installation for SSL issues and vulnerabilities.