This topic describes the background and countermeasures for the HTTPS root certificate update of Simple Log Service.
Mozilla root certificate trust policy update notification
In early 2023, Mozilla implemented a new trust policy for root certificates to enhance network security reliability. Root certificates used for server authentication with validity over 15 years are no longer trusted. For more information, see Mozilla root certificate trust policy update notification.
GlobalSign root certificate update notification
Mozilla's new trust policy impacts the validity of GlobalSign Root R1 certificates. Accordingly, GlobalSign announced that these certificates expire on April 15, 2025. For more information, see GlobalSign root certificate update notification.
Simple Log Service response strategy
In view of the above changes, Alibaba Cloud Simple Log Service announces the following response strategies:
Simple Log Service certificate update plan
Currently, the HTTPS certificates used by Simple Log Service are issued by GlobalSign Root R1. Although the official validity period of this root certificate has not ended, based on Mozilla's new policy, newly issued certificates from Simple Log Service have started using GlobalSign Root R3. This change addresses potential trust issues, ensuring service continuity and security.
Cross-certificate scheme for compatibility
To ensure broad compatibility during the transition period, existing Simple Log Service certificates will use a cross-certificate mechanism to achieve smooth migration from GlobalSign Root R1 to GlobalSign Root R3. The cross-certificate for GlobalSign Root R1 must be requested 13 months before expiration. Therefore, you must complete all related root certificate update preparations before January 1, 2026.
Future planning and suggestions
Considering long-term development, although GlobalSign Root R3 is the current solution, it will no longer be trusted by Mozilla starting April 15, 2027. We strongly advise clients to update their root certificates promptly and include authoritative ones such as GlobalSign R1, R3, R6, and R46. For more information, see GlobalSign root certificates.
Response strategies for Simple Log Service users
Check whether the GlobalSign Root CA-R3 certificates exist in the root certificate list.
If they do, Simple Log Service is not affected and continues to maintain a secure connection.
Otherwise, you must add the certificates to your trusted root certificate library (see the following step).
Add authoritative root certificates to your trusted root certificate library.
To improve overall security and compatibility, we recommend that you add all known and trusted authoritative root certificates to your trusted root certificate library. This can effectively prevent future connection failures or security warnings caused by certificate trust chain issues.