SSL Certificates: Root CA and Intermediate CA Changes

Express/­­­­­­­DomainSSL certificates

We are changing from using an issuing CA that chains to the GlobalSign Root R1 which is an SHA-1 Root, to the GlobalSign Root R3 which is an SHA-256 Root.

The GlobalSign Root R3 has been in use for several years issuing our EV/Extended Validation SSL certificates, and now we are moving our Express/DomainSSL issuance to this Root.

This new CA under Root R3 will be used to sign both RSA and ECC certificates.

Business/OrganisationSSL certificates

We are changing from using an issuing CA that chains to GlobalSign Root R1, to CAs that chain either to GlobalSign Root R3 or GlobalSign Root R5.

All requests for RSA Certificates will be issued under a new RSA Intermediate CA which chains to GlobalSign Root R3, while all requests for ECC Certificates will be issued under a new ECC Intermediate CA which chains to GlobalSign Root R5.

The entire chain from SSL Certificate to the Root will be consistent with respect to the key type and signing algorithms (SHA256RSA and SHA384ECDSA).

EV/Extended Validation SSL: Certificates issued from a Managed SSL account

Our EV SSL certificates, issued from a Managed SSL account (where pre-vetting is a feature), will continue to use the existing Intermediate CA for RSA keys but will use a new ECC intermediate CA that chains to GlobalSign Root R5 for ECC keys which permits a complete ECC chain.

EV/Extended Validation SSL: Certificates issued from a non-Managed SSL account:

No change – the intermediate CA for EV SSL certificates from a non-Managed SSL account will continue to use the current intermediate CA that chains to R3 (this concerns both RSA and ECC certificates).

Overview of the changes

SSL product CSR key type CA key type Root CA key type Root
Before May 27, 2019 Before May 27, 2019 After May 27, 2019 After May 27, 2019
Express/
Domain
SSL
RSA
and
ECC
RSA R1 RSA R3
Business/
Organisation
SSL
RSA RSA R1 RSA R3
Business/
Organisation
SSL
ECC RSA R1 ECC R5
EV SSL
(non-MSSL)
RSA
and
ECC
RSA R3 No
change
No
change
EV SSL
(MSSL)
RSA RSA R3 No
change
No
change
EV SSL
(MSSL)
ECC RSA R3 ECC R5

Important information

When installing new certificates (including renewals, SAN updates and reissues) for the above products issued after May 27, 2019, please be sure to install the new intermediate CA certificate on your web servers.

In some cases, the web server may need to be configured with the GlobalSign R3-R5 Cross Certificate and in very rare cases with Root R3 or Root R5, as part of the standard configuration process.

Certificates issued prior to May 27, 2019, will continue to work without any action needed.

Join us!

We are looking for talented new members to join our growing team.