20251216 - Evolution of GlobalSign Timestamping Servers for Code Signing
Starting December 10, 2025, GlobalSign is introducing a new hierarchy of Certificate Authorities (CAs) dedicated to timestamping code signatures.
Why a new hierarchy?
This evolution is part of GlobalSign's strategy to renew its trust roots. The goal:
- to guarantee ongoing compliance with security standards
- to ensure the long-term validity of code signatures
- to anticipate changes in trusted environments
What's changing
Starting December 10, 2025, new timestamping URLs will be available and can be used immediately.
New Timestamp URLs
RFC 3161 Timestamp Server:
-
URL:
http://timestamp.globalsign.com/tsa/r45standard - Application type:
timestamp-query
Microsoft Authenticode:
-
URL:
http://timestamp.globalsign.com/tsa/r45standard - Application type:
octet-stream
The Timestamps delivered via these URLs will be issued by the new GlobalSign Offline R45 Timestamping CA 2025 certificate authority.
What will happen to current timestamp URLs?
Starting March 4, 2026, currently used timestamp URLs will be automatically redirected to the new R45 hierarchy.
URLs affected by the redirection
RFC 3161 Timestamp Server:
http://timestamp.globalsign.com/tsa/r6advanced1
Microsoft Authenticode:
http://timestamp.globalsign.com/?signature=sha2
What impact will this have on my existing signatures?
None. Code signatures that have already been timestamped remain fully valid. This root change has no retroactive impact on existing signatures.
What are the recommendations?
- Start using the new timestamp URLs as soon as possible
- Update the chain of trust if the old hierarchy is stored or cached
If you were using the "GlobalSign Timestamping CA – SHA384 – G4" certificate, it must be replaced with "GlobalSign Offline R45 Timestamping CA 2025".