Share Article
SSL Certificates: Root CA and Intermediate CA Changes
SSL/TLS certificates are essential to any website, online service, or blog. They are used to encrypt communication between servers and clients, ensuring that no one can eavesdrop on or tamper with data being exchanged.
16 May 2020 | 10 mins read | By Jon Drejer Tittmann
Express/DomainSSL certificates
We are changing from using an issuing CA that chains to the GlobalSign Root R1 which is an SHA-1 Root, to the GlobalSign Root R3 which is an SHA-256 Root.
The GlobalSign Root R3 has been in use for several years issuing our EV/Extended Validation SSL certificates, and now we are moving our Express/DomainSSL issuance to this Root.
This new CA under Root R3 will be used to sign both RSA and ECC certificates.
Business/OrganisationSSL certificates
We are changing from using an issuing CA that chains to GlobalSign Root R1, to CAs that chain either to GlobalSign Root R3 or GlobalSign Root R5.
All requests for RSA Certificates will be issued under a new RSA Intermediate CA which chains to GlobalSign Root R3, while all requests for ECC Certificates will be issued under a new ECC Intermediate CA which chains to GlobalSign Root R5.
The entire chain from SSL Certificate to the Root will be consistent with respect to the key type and signing algorithms (SHA256RSA and SHA384ECDSA).
EV/Extended Validation SSL: Certificates issued from a Managed SSL account
Our EV SSL certificates, issued from a Managed SSL account (where pre-vetting is a feature), will continue to use the existing Intermediate CA for RSA keys but will use a new ECC intermediate CA that chains to GlobalSign Root R5 for ECC keys which permits a complete ECC chain.
EV/Extended Validation SSL: Certificates issued from a non-Managed SSL account:
No change – the intermediate CA for EV SSL certificates from a non-Managed SSL account will continue to use the current intermediate CA that chains to R3 (this concerns both RSA and ECC certificates).
No change – the intermediate CA for EV SSL certificates from a non-Managed SSL account will continue to use the current intermediate CA that chains to R3 (this concerns both RSA and ECC certificates).
Overview of the changes
| SSL Product | CSR key type | CA key type | Root | CA key type | Root |
| Before May 27, 2019 | Before May 27, 2019 | After May 27, 2019 | After May 27, 2019 | ||
| Express/Domain SSL | RSA and ECC | RSA | R1 | RSA | R3 |
| Business/Organisation SSL | RSA | RSA | R1 | RSA | R3 |
| Business/Organisation SSL | ECC | RSA | R1 | ECC | R5 |
| EV SSL (non-MSSL) | RSA and ECC | RSA | R3 | No change | No change |
| EV SSL (MSSL) | RSA | RSA | R3 | No change | No change |
| EV SSL (MSSL) | ECC | RSA | R3 | ECC | R5 |
Important information
When installing new certificates (including renewals, SAN updates and reissues) for the above products issued after May 27, 2019, please be sure to install the new intermediate CA certificate on your web servers.
In some cases, the web server may need to be configured with the GlobalSign R3-R5 Cross Certificate and in very rare cases with Root R3 or Root R5, as part of the standard configuration process.
Certificates issued prior to May 27, 2019, will continue to work without any action needed.
Vetting/Support Team Lead & OpEx Specialist
Henrik Dürr is a distinguished figure in the certificate industry, boasting an impressive career that spans over three decades. Co-founding TRUSTZONE 20 years ago, Henrik has been instrumental in shaping the company into a leading entity in the cybersecurity space. His profound knowledge and expertise have not only contributed to TRUSTZONE’s success but also to the broader certificate industry
Submit Your Technical Queries Here for Expert Assistance!
We will contact you as soon as possible.
Please enter your details below.
