20221006 - Mozilla modifies its roots management policy
Mozilla recently announced a change in its roots management policy. That policy determines if a root can be stored by the company's browsers.
Roots that don't meet the policy are removed.
A root life's cycle
Mozilla decided to limit the use of a root to 10 years. In doing so, Mozilla hopes to encourage cryptographic agility, address advancements in computing, and facilitate the transition to better algorithms.
It is also warranted because older roots may have been created with older technologies, policies, and practices that are not in use anymore.
Consequences
Those changes will lead to the suppression of roots that are more than 15 years old from Mozilla stores as of 2025 according to a precise calendar:
Date of the root creation | Date of the root abandonment |
---|---|
before 2006 | April 15, 2025 |
between 2006 and 2007 | April 15, 2026 |
between 2008 and 2009 | April 15, 2027 |
between 2010 and 2011 | April 15, 2028 |
between 2012 and April 15, 2014 | April 15, 2029 |
after April 15, 2014 | 15 years from creation |
Case of S/MIME certificates
The same rules apply for S/MIME roots except that they can be used for 18 years after their creation.
A specific calendar will be followed. It will start in 2028:
Date of the root creation | Date of the root abandonment |
---|---|
before 2006 | April 15, 2028 |
between 2006 and 2007 | April 15, 2029 |
between 2008 and 2009 | April 15, 2030 |
between 2010 and 2011 | April 15, 2031 |
between 2012 and April 15, 2014 | April 15, 2032 |
after April 15, 2014 | 18 years from creation |
Why 15 years?
A root inclusion is a long process that takes 2 to 3 years. Then a transition period is needed to switch from an old to a new root. Therefore, a 15-year term allows for approximately 10 years of root CA use within the Mozilla root store.
What impact for your certificates?
An older root is often widely recognized and offers a better recognition to your certificates. Switching for a newer one will impact the browser's ubiquity for your SSL certificates.
All DV, OV and EV certificates issued on a SHA1 root are concerned.
List of impacted roots
Root name | Date of the root abandonment |
---|---|
Sectigo AAA Certificate Services | April 15, 2025 |
GlobalSign Root CA | April 15, 2025 |
DigiCert Assured ID Root CA | April 15, 2026 |
DigiCert Global Root CA | April 15, 2026 |
DigiCert High Assurance EV Root CA | April 15, 2026 |