Main section
TLS/SSL: Scheduled Root Transition for SwissSign Certificates in April 2026
«SwissSign Gold CA – G2» retires from Chrome and Mozilla. For almost all SwissSign customers, no action is required, as SwissSign's root «SwissSign RSA TLS Root CA 2022 – 1» remains valid. Both browser vendors will withdraw trust for the legacy root as part of their annual clean-up of older public TLS roots.
|
|
|
|---|---|
|
Relevance for certificate users |
★★☆☆☆ (2/5) |
|
Affected users |
Owners of public TLS server certificates from SwissSign with non-standard validation setups (certificate pinning against Chrome/Mozilla stores, or legacy strict chain-walking validators). Standard setups are not affected.
|
|
Affected certificate types |
Public TLS server certificates (S/MIME and other certificates unaffected)
|
|
Implementation effort |
★☆☆☆☆ (1/5) for standard setups (no action required); ★★★☆☆ (3/5) for pinning or legacy strict validators
|
|
Status browser root programmes |
Chrome removes SwissSign Gold CA – G2 (Serial BB:40:1C:43:F5:5E:4F:B0) from its root store; Mozilla removes the web (TLS) trust bit.
|
|
SwissSign status |
Replacement root SwissSign RSA TLS Root CA 2022 – 1 already included in Chrome and Mozilla root stores. |
|
Deadline for certificate users |
15 April 2026 (action only required for non-standard setups) |
|
Links to the ballot |
Chrome Root Program Policy | Mozilla Root Store Policy |
What changes on 15 April 2026
Chrome will remove SwissSign Gold CA – G2 from its root store in full. The Chrome root store is scoped to TLS only, so no other certificate use is affected.
Mozilla will remove only the web (TLS) trust bit for SwissSign Gold CA – G2. Other trust bits held on the Mozilla side are not in scope of this change.
In short: the removal affects public TLS certificates only. S/MIME, document signing and any other certificate types issued under different hierarchies are unaffected. Other root stores, notably Apple's, are also unaffected by this particular action.
Timeline and Propagation
While the effective date is 15 April 2026, the change only becomes visible on end-user devices as the updates propagate:
-
Chrome with component updates enabled: typically within hours to a few days, although no strict upper bound is guaranteed.
-
Chrome without component updates, and all Firefox browsers: on the next browser update.
-
Other systems using Mozilla's NSS root store: timing depends on how the trust store is distributed and updated in each environment. Refer to the Mozilla Root Store Policy and the NSS root store documentation for details.
What SwissSign Has Done
SwissSign created the replacement root SwissSign RSA TLS Root CA 2022 – 1 well in advance and secured its inclusion in the major trust stores. It is already present in the root stores of Chrome, Mozilla and Microsoft.
SwissSign also continues to serve a legacy-compatible chain of the form Leaf → ICA → cross-signed Root → Gold G2 to also cover Apple's root store, where inclusion of the new root is still pending. This chain:
-
maximises compatibility with Apple and older systems that still trust Gold G2, and
-
prevents widespread outages during the transition.
The long-term goal remains a single chain ending in SwissSign RSA TLS Root CA 2022 – 1 that is trusted by all major root stores.
What You Need to Do
Standard setups: no action required
If you operate public web servers using SwissSign TLS certificates and rely on the default chain behaviour of browsers and modern TLS libraries, you do not need to do anything. Chrome, Edge and Firefox already trust the 2022 root, so validation will continue to succeed. End users will not see any warnings or errors; the only technical difference is that the number of valid paths drops from two (one ending in Gold G2, one in the 2022 root) to one.
Non-standard setups: check your configuration
Only a minority of setups might be affected. The typical cases are:
-
Certificate pinning tied to Gold G2: applications that pin the Gold G2 root or an intermediate beneath it, and that additionally rely on Chrome's or Mozilla's trust store to confirm the chain, can fail. In order to prevent this, remove the pin or, if pinning is unavoidable, pin to the correct successor and plan a rotation strategy.
-
Legacy strict validators: non-standard validation systems that do not stop at the first trusted anchor but keep tracing the chain (for example via AIA fetching) may still attempt to terminate at Gold G2. Updating the library, framework or validation logic resolves this.
Best practices for a smooth transition
-
Avoid certificate pinning. If it is required for compliance or threat-model reasons, make sure a documented fallback process is in place for cases where roots or intermediates are rotated.
-
Serve the provided chain correctly. Include the issuing intermediate certificate (and, where applicable, the cross-signed root), but do not include the self-signed root in the server-delivered chain.
-
Keep certificate-related software up to date: including browsers, TLS libraries (OpenSSL, BoringSSL, GnuTLS, Schannel), and application frameworks.
-
Test your configuration across multiple clients and platforms, including at least one current Chrome, Firefox and Safari build, before and after 15 April 2026.
Background: Why Browsers Retire Older Roots
Chrome and Mozilla remove older-generation public TLS roots from their stores on a rolling, yearly cadence. The rationale is to reduce the long-tail risk of very old cryptographic material and key-handling practices remaining in the trust fabric of the web, and to encourage CAs and certificate users to migrate to more up-to-date hierarchies with modern controls. SwissSign Gold CA – G2 falls into the next batch of scheduled removals. This is a routine, vendor-driven housekeeping action. It is not a CA/B Forum ballot, and it does not reflect any compliance finding.
Frequently asked questions (FAQ)
No. Certificates issued under the current SwissSign hierarchy chain to SwissSign RSA TLS Root CA 2022 – 1 and are already trusted by Chrome and Mozilla. No reissuance is required because of this change.
In standard browser setups, no. The transition simply removes one of two previously valid paths. Only non-standard validation setups (pinning, strict legacy validators) can produce warnings, and only if they were specifically tied to Gold G2.
No. The removal is scoped to the TLS trust bit only. Other SwissSign certificate services are not affected by this action.
No. Apple's root store is independent of Chrome's and Mozilla's and still trusts Gold G2 today. Apple inclusion of SwissSign RSA TLS Root CA 2022 – 1 has been requested and is pending; there is no confirmed timeline yet. Microsoft and its browser (Edge) already trust the 2022 root.
