Overview
|
Item |
Description |
|
What is changing |
The HTTPS root certificate for DLF is being upgraded from GlobalSign Root R3 to GlobalSign Root R46 |
|
Effective date |
Starting May 11, 2026 |
|
Compatibility deadline |
The old root certificate remains compatible until January 28, 2027, after which the full switch to R46 takes effect |
|
Who is affected |
Users with modern operating systems and standard clients are not affected. Only legacy clients or environments using Certificate Pinning may be affected |
|
Action required |
Verify that your client trust store includes the GlobalSign Root R46 certificate. If not, add it before the compatibility deadline |
Background
In early 2023, Mozilla released an updated root certificate trust policy: root certificates used for server identity verification are no longer trusted if they were issued more than 15 years ago. At the same time, Google Chrome stopped trusting root certificates with multiple EKUs (Extended Key Usage). As a result, servers using legacy GlobalSign root certificates (R1/R3/R5/R6) may experience certificate verification failures during TLS handshakes, directly affecting business continuity.
The HTTPS certificates currently used by Alibaba Cloud Data Lake Formation (DLF) are issued by the GlobalSign Root R3 root certificate. Starting May 11, 2026, newly issued certificates for DLF will be gradually signed by the new root GlobalSign Root R46.
To ensure certificate compatibility, the updated certificates will maintain backward compatibility with GlobalSign Root R1 until January 28, 2027. However, the R1 root expires on January 28, 2028. For clients that do not yet support the R46 root, upgrade the local root certificate list before January 28, 2027. This is an industry-wide upgrade by authoritative CAs, not specific to Alibaba Cloud DLF.
Scope of Impact
Most modern operating systems and client runtime environments will continue to automatically trust GlobalSign root certificates. However, legacy clients or environments that use Certificate Pinning — if they explicitly trust only GlobalSign Root R3 (or specific intermediate certificates) and their trust stores do not yet include Root R46 — may encounter SSL certificate verification failures once servers begin issuing certificates signed by the new root.
Verify all domain names used to access DLF services (including Paimon REST and Iceberg REST) and ensure that the trust stores of related clients are updated accordingly.
Recommended Actions
-
Update trust stores: Ensure that the trust stores of all clients, hardware devices, and backend services that access Alibaba Cloud DLF domains include the GlobalSign Root R46 certificate.
-
Discontinue Certificate Pinning: Certificate Pinning is highly prone to causing verification failures during root certificate rotations and migrations. If your environment requires pinning to a root CA or intermediate CA, update your pin sets to accept GlobalSign Root R46 and any subsequent subordinate CAs to avoid service disruptions.
R46 Root Certificate Verification
If your client can access DLF services and receive responses normally, the R46 root certificate verification is successful. If SSL handshake failures occur, refer to Install root certificates on your operating system to pre-install the root certificate.
GlobalSign root certificate list: globalsign-root-certificates
-
Check whether the new root certificate GlobalSign Root CA - R46 (certificate Subject) is in your trusted root certificate store. If it is, no action is needed. If not, add the new root certificate to the store.
-
We recommend pre-installing all known authoritative root certificates in the client trusted root certificate store.