Menu

Upcoming Changes to TLS Roots and Certificate Profiles

Feb 26, 2026

Upcoming Changes to TLS Roots and Certificate Profiles

OVERVIEW: This article explains upcoming industry-driven changes that affect GlobalSign publicly trusted TLS Root certificates and TLS Certificate profiles. These changes are introduced by browser root programs (primarily in Mozilla Firefox and Google Chrome) and the CA/Browser Forum. GlobalSign is updating its infrastructure to remain fully compliant while minimizing customer impact. This page is updated regularly to reflect the latest updates. We recommend bookmarking this page and checking back for the latest guidance. For more SSL/TLS advisories, please refer to this refer to this page.

Important Assurance

  • GlobalSign’s existing root certificates are not being revoked. 
  • Older roots will continue to exist and may still be used for their natural lifetimes for:
    • Non-TLS use cases, or 
    • Environments that do not require public browser trust
  • Intermediate certificates (ICAs) issued under these root certificates will also not be revoked.
     

Summary of Key Changes 

Browser vendors periodically update their root store policies to improve ecosystem security and consistency. Recent policy updates from Mozilla Firefox, Google Chrome, and the CA/Browser Forum introduced three key changes that affect publicly trusted TLS certificates:

  1. Maximum root age limits: Mozilla Firefox and Google Chrome will no longer trust TLS certificates that chain to roots older than a defined age.

  2. TLS-dedicated root requirements: Publicly trusted TLS certificates must be issued from roots dedicated exclusively to TLS and must contain only the Server Authentication (ServerAuth) EKU.

  3. Shorter TLS certificate lifetimes: The CA/Browser Forum has approved reducing maximum TLS certificate validity to 200 days starting March 15, 2026.

 NOTE: These changes apply to publicly trusted TLS certificates only.

Chrome and Mozilla Timeline for Removing Trust Based on Age of the Root 

Both Chrome and Mozilla have announced their plans to remove the TLS older roots from being trusted based on the dates when the roots were created. 

Root Key Material Created Browser Trust Removed for TLS  Applicable GlobalSign Roots 
Before 2006 April 15, 2025 GlobalSign Root R1 (Issuance is disabled) 
2006 - 2007 April 15, 2026  
2008 - 2009 April 15, 2027 GlobalSign Root R3*
2010 - 2011 April 15, 2028  
2012 - April 14, 2014 April 15, 2029 GlobalSign Root R5 (ECC) 
April 15, 2014 - present 15 years from creation GlobalSign Root R6 

* For Root R3, GlobalSign must stop issuing the 200-day TLS certificates by August 27, 2026  to ensure full browser trust for its entire lifetime.

Transition to TLS Dedicated Roots and Certificate Profiles 

TLS dedicated roots.  are used only for publicly trusted TLS certificates. They are not shared with Secure Email, Code Signing, or other PKI use cases.
In 2019, GlobalSign proactively created two TLS-dedicated roots:

  • R46 - RSA TLS Root
  • E46 - ECC TLS Root

When issued from TLS-dedicated roots, TLS certificates must:

  • Contain only the Server Authentication (ServerAuth) Extended Key Usage (EKU)
  • Client Authentication (ClientAuth) and other EKUs will no longer be permitted

Chrome SCTNotAfter Constraint

Current GlobalSign roots (R3, R5, R6) are multi-purpose roots. Browser policies now require TLS issuance to be separated from other PKI use cases.
Google Chrome will apply an SCTNotAfter constraint to all GlobalSign multi-purpose roots:

  • Effective date: September 13, 2026 (90 days after June 15, 2026)
  • Certificates issued before this date will remain trusted for their full validity
  • Certificates issued after this date will not be trusted by Google Chrome

What If You Need Client Authentication?

If you require TLS certificates with ClientAuth EKU or do not require browser trust, GlobalSign recommends using IntranetSSL, which offers:

  • Longer certificate validity
  • Longer domain reuse periods
  • No CAA checking
  • No Certificate Transparency (CT) logging (additional privacy)

What This Means for You

  • If You Use Publicly Trusted TLS Certificates:
    • You will automatically transition to TLS-dedicated roots based on the timelines below
    • Shorter certificate lifetimes (200 days) will apply starting March 2026
    • Certificates with ClientAuth EKU will no longer be available from public TLS roots
  • If You Do Not Require Browser Trust:
    • No immediate action is required
    • Existing roots remain valid for non-TLS use cases
    • IntranetSSL may be a better long-term option
       

GlobalSign Transition Plan

Atlas Customers

See Atlas - GlobalSign Transition Plan for more information.

GCC Customers

  • Q4 2025: New MSSL OV/EV CAs created for optional use
  • July 27, 2026: Retail and partner products will move to TLS-dedicated roots
  • September 13, 2026: All TLS issuance will move to TLS-dedicated roots

NOTE: Customers who do not require browser trust are encouraged to use IntranetSSL.

GlobalSign System Alerts

View recent system alerts.

View Alerts

Atlas Discovery

Scan your endpoints to locate all of your Certificates.

Sign Up

SSL Configuration Test

Check your certificate installation for SSL issues and vulnerabilities.

Contact Support