Introduction:

This article will go over the Intermediate and Root changes for SSL products (Express/DomainSSL, Business/OrganisationSSL, and EV/ExtendedSSL).

Overview:

Starting 27 May 2019, we are migrating some of our SSL products over to the GlobalSign Root R3 and the GlobalSign Root R5, as part of our CA life cycle management and in order to address SHA-1 Root concerns.

Express/­­­­­­­DomainSSL certificates:

We are changing from using an issuing CA that chains to the GlobalSign Root R1 which is an SHA-1 Root, to the GlobalSign Root R3 which is an SHA-256 Root.

The GlobalSign Root R3 has been in use for several years issuing our EV/Extended Validation SSL certificates, and now we are moving our Express/DomainSSL issuance to this Root. This new CA under Root R3 will be used to sign both RSA and ECC certificates.

Business/OrganisationSSL certificates:

We are changing from using an issuing CA that chains to GlobalSign Root R1, to CAs that chain either to GlobalSign Root R3 or GlobalSign Root R5.

All requests for RSA Certificates will be issued under a new RSA Intermediate CA which chains to GlobalSign Root R3, while all requests for ECC Certificates will be issued under a new ECC Intermediate CA which chains to GlobalSign Root R5.

The entire chain from SSL Certificate to the Root will be consistent with respect to the key type and signing algorithms (SHA256RSA and SHA384ECDSA).

EV/Extended Validation SSL (certificates issued from a Managed SSL account):

Our EV SSL certificates, issued from a Managed SSL account (where pre-vetting is a feature), will continue to use the existing Intermediate CA for RSA keys but will use a new ECC intermediate CA that chains to GlobalSign Root R5 for ECC keys which permits a complete ECC chain.

EV/Extended Validation SSL (certificates issued from a non-Managed SSL account):

No change the intermediate CA for EV SSL certificates from a non-Managed SSL account will continue to use the current intermediate CA that chains to R3 (this concerns both RSA and ECC certificates).

To summarise, please check the table below:

SSL product CSR key type CA key type

Before 27 May 2019

Root

Before 27 May 2019

CA key type

After 27 May 2019

Root

After 27 May 2019

Express/DomainSSL RSA and ECC RSA R1 RSA R3
Business/OrganisationSSL RSA RSA R1 RSA R3
Business/OrganisationSSL ECC RSA R1 ECC R5
EV SSL (non-MSSL) RSA and ECC RSA R3 No change No change
EV SSL (MSSL) RSA RSA R3 No change No change
EV SSL (MSSL) ECC RSA R3 ECC R5

Important information:

  • When installing new Certificates (including renewals, SAN updates and reissues) for the above products issued after 27 May 2019, please be sure to install the new intermediate CA certificate on your web servers.
  • In some cases, the web server may need to be configured with the GlobalSign R3-R5 Cross Certificate and in very rare cases with Root R3 or Root R5, as part of the standard configuration process.
  • Certificates issued prior to 27 May 2019 will continue to work without any action needed.