In early 2023, Mozilla updated its trust policy for root certificates. According to the new policy, if the root certificates used for server authentication are issued for more than 15 years, Mozilla no longer trusts the root certificates. Consequently, GlobalSign published a root certificate update notice on February 19, 2024, which indicates that the GlobalSign Root R1 root certificates are no longer valid after April 15, 2025.
The SSL certificates used by Alibaba Cloud OSS are issued by GlobalSign Root R1 root certificates. Starting from July 1, 2024, new SSL certificates are issued by GlobalSign Root R3 root certificates. Existing SSL certificates are replaced by using the cross-certificate scheme. The schema provides compatibility between OSS and R1 and between OSS and R3 at the same time. The scheme is valid until December 28, 2026. The existing SSL certificates issued by GlobalSign Root R1 root certificates must be replaced by new SSL certificates issued by GlobalSign Root 3 root certificates before this date before this date.
However, GlobalSign Root R3 root certificates are no longer trusted by Mozilla after April 15, 2027 and expire on March 18, 2029. To mitigate the long-term impact, when you update the existing root certificates, we recommend that you include authoritative root certificates, such as GlobalSign Root R1, GlobalSign Root R3, GlobalSign Root R6, and GlobalSign Root R46, in the root certificate list.