Root certificates form the foundation of the SSL/TLS trust chain and verify the trustworthiness of server certificates. Due to changes in global root certificate trust policies, OSS is upgrading its root certificates to ensure continued secure and available HTTPS access.
Upgrade Background
In early 2023, Mozilla implemented a new root certificate trust policy stating that server authentication root certificates issued more than 15 years ago will no longer be trusted. As a result, the GlobalSign Root R1 root certificate will expire on April 15, 2025. For details, see the Mozilla root certificate trust policy notification.
OSS Response Strategy
Alibaba Cloud OSS has taken the following measures to ensure a smooth service transition. For more information, see Alibaba Cloud Object Storage Service HTTPS Root Certificate Upgrade Announcement.
Measure | Description |
Certificate Update | Starting July 1, 2024, newly issued OSS certificates will use GlobalSign Root R3. This ensures compatibility with the latest security standards. |
Cross-Certificate Compatibility | Existing certificates will smoothly migrate from R1 to R3 using a cross-certificate mechanism. Cross-certificates are valid until January 28, 2028. Complete update preparations before December 28, 2026. |
Future Planning | GlobalSign Root R3 will no longer be trusted by Mozilla starting April 15, 2027. It will expire on March 18, 2029. Include multiple root certificates, such as R1, R3, R6, and R46, in your client's root certificate list. This addresses future certificate rotation needs. |
User Response
Most users require no action. Modern operating systems (Windows 7+, macOS 10.12.1+, and mainstream Linux versions from the last five years) and browsers automatically update their built-in root certificate stores.
Only follow the steps below if you encounter certificate errors when accessing OSS over HTTPS on older operating systems, embedded devices, or outdated custom clients.
Step 1: Check for the "GlobalSign Root CA - R3" Root Certificate
Windows
Press Win + R, enter
certmgr.msc, and press Enter to open Certificate Manager.In the left navigation pane, expand .
Find the certificate where Issued To is GlobalSign and Friendly Name is GlobalSign Root CA - R3.
Linux
For example, on Ubuntu, open a terminal and run the following command to check for GlobalSign certificates in the system certificate directory:
ls /etc/ssl/certs/ | grep GlobalSignmacOS
Open Finder, search for "Keychain Access", and open it.
Click System Roots, enter "GlobalSign" in the search box, and double-click to view certificate details.
Step 2: Install Missing Root Certificates
If you confirm that the root certificate is missing from the system, see Installing Root Certificates in the Operating System.