Starting September 18, 2025, all newly issued Alibaba Cloud-branded SSL certificates will use new root and intermediate certificates. The current root certificate, GlobalSign Root CA - R3, expires on November 17, 2026. This page explains the change, its impact, and the actions you need to take.
Background
Alibaba Cloud-branded Domain Validated (DV) certificates are currently issued through a certificate chain that terminates at the GlobalSign Root CA - R3 root certificate. Because this root certificate expires on November 17, 2026, Alibaba Cloud is transitioning to the TLS Root R46 root certificate and a new intermediate certificate.
A cross-certificate (GlobalSign Cross Certificate R3-R46) bridges the old and new root certificates. It allows clients that already trust GlobalSign Root CA - R3 to also trust certificates issued under the new TLS Root R46 hierarchy.
Scope
This change affects Alibaba Cloud-branded DV certificates only.
-
Certificates issued before September 18, 2025 are not affected and continue to work normally until they expire.
-
Certificates issued on or after September 18, 2025 will use the new root and intermediate certificates.
Who is affected
Standard environments (generally not affected)
If your certificates serve PC clients or mini-program services, you are generally not affected. The new TLS Root R46 root certificate and its cross-certificate are already pre-installed in the trust stores of most mainstream operating systems, mobile platforms, and Java Development Kit (JDK) environments.
Environments with application-embedded trust stores (action required)
If your certificates are used in environments that rely on a hardcoded trust store — a fixed set of trusted root certificates embedded in your application — you must take action. These environments include:
-
Mobile applications
-
Internet of Things (IoT) devices
-
Non-PC browsers
-
Custom Java clients
To maintain a secure HTTPS connection, choose one of the following options:
-
Update your certificates: Download the new root, cross-certificate, and intermediate certificates (see Download certificates below) and replace the old ones in your trust store.
-
Switch to the system trust store: Configure your client to use the operating system's default trust store for certificate validation instead of an application-embedded trust store.
Certificate pinning
If your application pins to specific root or intermediate certificates, update your pinning configuration before September 18, 2025. As a best practice, pin to the Subject Public Key Info (SPKI) hash rather than the certificate itself, because certificate attributes change during transitions.
Certificate transition details
Root certificate
|
Original root certificate |
Expiration date |
Switchover date |
Scope |
New root certificate |
|
GlobalSign Root CA - R3 |
November 17, 2026 |
September 18, 2025 |
Alibaba Cloud-branded DV certificates |
TLS Root R46 Root Certificate |
Intermediate certificate
|
Original intermediate certificate |
Expiration date |
Switchover date |
Scope |
New intermediate certificate |
|
Alibaba Cloud GCC R3 AlphaSSL CA 2023 |
November 17, 2026 |
September 18, 2025 |
Alibaba Cloud-branded DV certificates |
Alibaba Cloud GCC R46 AlphaSSL CA 2025 |
Download certificates
Download the new root, cross-certificate, and intermediate certificates:
-
Root certificate: TLS Root R46 Root Certificate
-
Cross-certificate: GlobalSign Cross Certificate R3-R46
-
Intermediate certificate: Alibaba Cloud GCC R46 AlphaSSL CA 2025
FAQ
Do I need to take action if my certificates were issued before September 18, 2025?
No. Certificates issued before this date continue to use the existing GlobalSign Root CA - R3 chain and are not affected.
How do I know if my application uses a hardcoded trust store?
If your application bundles its own set of trusted root certificates rather than relying on the operating system's certificate store, it uses a hardcoded trust store. This is common in mobile apps, IoT firmware, and custom Java clients that configure a specific TrustManager or keystore file.
Do I need to reissue my certificates?
No. Certificates issued on or after September 18, 2025 automatically use the new root and intermediate certificates. Certificates issued before that date remain valid and do not need to be reissued.
What happens if I do nothing?
If your environment relies on a hardcoded trust store that does not include the new TLS Root R46 root certificate, HTTPS connections to services using newly issued certificates may fail with a certificate validation error.
Who can I contact for help?
Contact your Alibaba Cloud account manager for assistance.