Update OSS SSL certificates, Update OSS SSL certificates

Announcement on Mozilla updating its trust policy for root certificates

To ensure the continued reliability of the network security environment, Mozilla implemented a new trust policy for root certificates in early 2023. According to the new trust policy, if the root certificates used for server authentication were issued more than 15 years ago, Mozilla no longer trusts the root certificates. For more information, see CA/Root CA Lifecycles.

Announcement on GlobalSign updating its root certificates

The new trust policy published by Mozilla affects the validity of GlobalSign Root R1 root certificates. Consequently, GlobalSign published a root certificate update notice, which indicates that GlobalSign Root R1 root certificates are no longer valid after April 15, 2025. For more information, see Removal of TLS trust bit from Roots R1 and R3 by Mozilla.

Methods for OSS

In view of the preceding changes, Alibaba Cloud OSS hereby provides the following methods:

• OSS certificate update plan

  Currently, the SSL certificates used by OSS are issued by GlobalSign Root R1 root certificates, which expire on January 28, 2028. Starting from July 1, 2024, new SSL certificates are issued by GlobalSign Root R3 root certificates. The move aims to address potential trust issues in advance to ensure service continuity and security.

• Cross-certificate scheme for compatibility

  To ensure extensive compatibility between OSS and GlobalSign Root R1 and between OSS and GlobalSign Root R3 at the same time during the transition period, the existing OSS SSL certificates issued by GlobalSign Root R1 root certificates are gradually replaced by new SSL certificates issued by GlobalSign Root 3 root certificates. You must apply for new SSL certificates issued by GlobalSign Root 3 root certificates 13 months before the expiration date (January 28, 2028) of the SSL certificates issued by GlobalSign Root R1 root certificates. In this case, you must complete the application for new SSL certificates before December 28, 2026.

• Future planning and suggestions

  GlobalSign Root R3 root certificates are no longer trusted by Mozilla after April 15, 2027 and expire on March 18, 2029. To mitigate the long-term impact, when you update the existing SSL certificates, we recommend that you include authoritative root certificates, such as GlobalSign Root R1, GlobalSign Root R3, GlobalSign Root R6, and GlobalSign Root R46, in the root certificate list. For more information, see GlobalSign Root Certificates.

For more information about updating OSS SSL certificates, see Announcement on Updating OSS SSL Certificates.

Methods for OSS users

1. Check whether the GlobalSign Root CA-R3 certificates exist in the root certificate list.

   • If the GlobalSign Root CA-R3 certificates exist, OSS is not affected and continues to maintain a secure connection.

   • If the GlobalSign Root CA-R3 certificates do not exist, you must add the certificates to your trusted root certificate library.

2. Add authoritative root certificates to your trusted root certificate library.

   To improve overall security and compatibility, we recommend that you add all known and trusted authoritative root certificates to your trusted root certificate library. This way, you can effectively prevent future connection failures or security warnings caused by certificate trust chain issues.