All Products
Search

This Product

    Object Storage Service:Announcement: Alibaba Cloud Object Storage Service (OSS) is replacing its HTTPS root certificate with "GlobalSign Root R46"

    Document Center

    Object Storage Service:Announcement: Alibaba Cloud Object Storage Service (OSS) is replacing its HTTPS root certificate with "GlobalSign Root R46"

    Last Updated:Apr 18, 2026

    Background information

    In early 2023, Mozilla released a new root certificate trust policy. Under this policy, Mozilla will no longer trust root certificates used for server authentication if they were issued more than 15 years ago. Because of this change, major browsers such as Mozilla Firefox and Google Chrome will no longer trust root certificates issued more than 15 years ago. Additionally, Google Chrome will no longer trust root certificates with multiple Extended Key Usage (EKU) purposes. For these two reasons, websites using older GlobalSign root certificates (R1, R3, R5, or R6) may show security warnings or become inaccessible in major browsers like Mozilla Firefox and Google Chrome. This directly affects user experience and business continuity.

    Currently, the HTTPS certificates used by Alibaba Cloud Object Storage Service (OSS) are issued by the "GlobalSign Root R3" root certificate. Starting June 15, 2026, new certificates issued for OSS will gradually be signed by the new "GlobalSign Root R46" root certificate.

    Important

    To improve certificate compatibility, the updated certificates will remain compatible with GlobalSign Root R1 until January 28, 2027. However, the R1 root will expire on January 28, 2028. For clients that do not yet support the R46 root, you must upgrade your local root certificate list before January 28, 2027.

    Note: This is an industry-wide upgrade for authoritative Certificate Authority (CA) certificates, not an action specific to Alibaba Group.

    Which environments might be affected

    Most modern operating systems and browsers will continue to automatically trust GlobalSign's root certificates. However, some older clients or environments that use Certificate Pinning might experience SSL certificate validation failures. This can happen if they are configured to explicitly trust only GlobalSign Root R3 (or a specific intermediate certificate) and their Trust Store does not yet contain Root R46. The failures will occur once servers begin sending certificates signed by the new root.

    Recommended actions

    • Update trust stores: If you manage clients, hardware models, or backend services that access Alibaba Cloud OSS domain names, ensure that their Trust Stores contain the GlobalSign Root R46 certificate.

    • Stop using Certificate Pinning: We recommend that you stop using certificate pinning in any form. It can easily cause validation failures during necessary root certificate rotations and migrations. If your environment must pin to a root CA or a subordinate (intermediate) CA, update your pin sets to accept the new GlobalSign Root R46 CA and any new subordinate CAs that are announced later. This will prevent service interruptions when the new certificates take effect.

    R46 root certificate validation

    To validate the R46 root certificate, you can access the staging environment from your client. If a result is returned, the validation is successful. If the SSL connection fails, see Install a root certificate in an operating system to install the root certificate on the client.

    GlobalSign root certificate list: https://support.globalsign.com/ca-certificates/root-certificates/globalsign-root-certificates

    • Check whether the new root certificate, GlobalSign Root CA - R46, is in your trusted root certificate store. If it is, you are not affected. If not, add the new root certificate to your trusted root certificate store.

    • We strongly recommend that you add all known authoritative root certificates to your client's trusted root certificate store. The specific root certificates are listed in the following file:

      GlobalSign_root_certificate_list.zip

    Related information

    Mozilla's notification on updating its root certificate trust policy

    In early 2023, Mozilla released a new root certificate trust policy. Under this policy, Mozilla will no longer trust root certificates used for server authentication if they were issued more than 15 years ago. https://wiki.mozilla.org/CA/Root_CA_Lifecycles

    Google's notification: https://googlechrome.github.io/chromerootprogram/policy-archive/policy-version-1-5/

    GlobalSign's notification on root certificate upgrade

    Because of the adjustment to Mozilla's root certificate trust policy, some of GlobalSign's root certificates are no longer trusted by Mozilla even before their expiration dates and must be retired early. GlobalSign published a notification about upgrading its root certificates: https://support.globalsign.com/ssl/upcoming-changes-tls-roots-and-certificate-profiles

    Chrome EKU limits

    The extensions field in a certificate describes its usage limits. The EKU field specifies the certificate's purpose, such as serverAuth, clientAuth, codeSigning, emailProtection, or macAddress.

    X509v3 extensions:
    X509v3 Key Usage: critical
        Digital Signature, Certificate Sign, CRL Sign
    X509v3 Extended Key Usage:
        TLS Web Server Authentication, TLS Web Client Authentication
    X509v3 Basic Constraints: critical
        CA:TRUE, pathlen:0
    Authority Information Access:
        OCSP - URI:http://ocsp2.globalsign.com/rootr6
        CA Issuers - URI:http://secure.globalsign.com/cacert/root-r6.crt
    X509v3 CRL Distribution Points:
        Full Name:
          URI:http://crl.globalsign.com/root-r6.crl

    Starting June 15, 2026, Chrome will impose restrictions on all CAs in its root store. It will no longer support CAs that are unspecified or include other Public Key Infrastructure (PKI) purposes, such as TLS client authentication, secure email, or digital signatures.