A root certificate is the anchor of a certificate trust chain and is used to authenticate all subordinate certificates issued by a Certificate Authority (CA). The root certificates for SSL Certificates from trusted CAs are pre-installed in major web browsers, such as Google Chrome, Mozilla Firefox, and Microsoft Edge. They are also pre-installed in operating systems, such as Windows, macOS, and the Android and iOS mobile platforms. However, some clients, such as apps, Java clients, older browsers, and Internet of Things (IoT) devices, may not have a pre-installed root certificate. For these clients, you must download the root certificate that corresponds to your server certificate and install it on the client to establish a secure HTTPS connection.
Even if a root certificate is installed on a client, access may fail or a security warning may appear. This can occur if the root certificate expires or a policy changes.
If you understand and accept these threats but still need to install a root certificate in an environment such as an app or a Java client, you can download and install the required root certificate. After you download the root certificate, install it in the system's default certificate trust store and use this store for client authentication. If you have questions, contact your business manager for assistance.
Available root certificates
Alibaba Cloud provides the following root certificates for download. Click the link that corresponds to the brand and type of your SSL Certificate. For example, if you have a DigiCert OV SSL Certificate, download the DigiCert OV root certificate.
Certificate brand | Root certificate download |
DigiCert | Note Starting December 1, 2024, SSL Certificates that you request for the DigiCert brands will be gradually issued with new root and intermediate certificates. For more information, see [Notice] DigiCert Root Certificate Replacement. |
GlobalSign | |
Alibaba Cloud | Note Starting September 18, 2025, newly issued SSL Certificates of the Alibaba Cloud brand will be gradually issued with new root and intermediate certificates. For more information, see [Notice] Alibaba Cloud Brand Certificate Root Update. |
DigiCert root certificate compatibility
Operating system or browser | DigiCert Global Root CA (Old) | DigiCert Global Root G2 (Old - Transitional) | DigiCert Global Root G2 (New - Cross-root) |
Fingerprint | a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c5436 | df3c24f9bfd666761b268073fe06d1cc8d4f82a4 | 8bf7f178a745a11bac6ae5b586fc1838eadcb2cf |
Windows (Internet) | Windows XP SP3+ | Windows XP SP3+ | Windows XP SP3+ |
Windows (internal network) | Windows 7+ | Windows 8+ | Windows 7+ |
macOS | Mac OS X 10.6+ | Mac OS X 10.10+ | Mac OS X 10.6+ |
iOS | iOS 4.0+ | iOS 7.0+ | iOS 4.0+ |
Firefox | Firefox 2+ | Firefox 32+ | Firefox 2+ |
NSS | NSS 3.11.8 | NSS 3.16.3 | NSS 3.11.8 |
Android | Android 1.1+ | Android 5.0+ | Android 1.1+ |
Chrome | Chrome 108 and later use a built-in trust store. Earlier versions rely on the operating system's trust store. | Chrome 108 and later use a built-in trust store. Earlier versions rely on the operating system's trust store. | Chrome 108 and later use a built-in trust store. Earlier versions rely on the operating system's trust store. |
Java | JRE 1.4.2_17+ | JRE 1.8.0_131+ | JRE 1.4.2_17+ |
The storage location for trusted root certificates in Linux varies by distribution. Most Linux distributions use the /etc/ssl/certs/ folder or the /etc/pki/tls/certs/ca-bundle.crt file as the system's trusted root certificate store.