Dear Alibaba Cloud users,
Mozilla updated its trust policy for root certificates. The new policy requires the root certificates of all certificate authorities (CAs) in the world to be changed at least once every 15 years from creation. Root certificates that are not changed 15 years from creation gradually lose trust from Mozilla. DigiCert starts to gradually update some existing root certificates to DigiCert Global Root G2 from the middle of March, 2023.
Update details
Involved root certificates
Original root certificate | Time when Mozilla trust is lost | Impact scope | New root certificate |
Baltimore CyberTrust Root | April 15, 2025 (The root certificate expires on May 15, 2025.) | Cross certificates used to ensure compatibility | DigiCert Global Root G2 |
DigiCert Global Root CA | April 15, 2026 | DigiCert domain validated (DV) and organization validated (OV) certificates | DigiCert Global Root G2 |
DigiCert High Assurance EV Root CA | April 15, 2026 | DigiCert extended validation (EV) certificates | DigiCert Global Root G2 |
Involved DV certificate chains
Certificate brand | Original intermediate certificate | Original root certificate | New intermediate certificate | New root certificate |
GeoTrust and RapidSSL | RapidSSL Global TLS RSA4096 SHA256 2022 CA1 | Digicert Global Root CA | RapidSSL TLS RSA CA G1 | Digicert Global Root G2 |
DigiCert | Encryption Everywhere DV TLS CA - G1 | Digicert Global Root CA | Encryption Everywhere DV TLS CA - G2 | Digicert Global Root G2 |
Update impact
DigiCert Global Root G2 uses the SHA-256 signature algorithm, which helps improve security.
Certificates that are issued before the middle of March, 2023 are not affected. From the middle of March, 2023, DigiCert, GeoTrust, and RapidSSL certificates are issued by using new root and intermediate certificates.
The new root system is compatible with mainstream operating systems and mobile devices.
The root certificates that are preconfigured for clients such as apps and IoT terminals are affected. We recommend that you use the default Truststore to implement verification in this scenario.
If you have questions, contact your account manager.
Thank you for your support.