Dear Tencent Cloud user,
Affected by the update of root certificate trust policy by well-known browser manufacturer Mozilla, DigiCert will be gradually upgraded to new root system (G2) certificates. Since Tencent is using certificate issued by DigiCert, we have started to upgrade the old certificate to the latest G2 root system certificate.
To ensure that your business is not affected and have sufficient time to update the root certificate and JDK in your the environment, Cloud API uses a cross-signed certificate (signed by both G1 and G2 root certiicate) so that customers who have not updated the root certificate can continue to use our services. It is recommended to verify and update the root certificate and Java JDK (Java embedded root certificate) in the environment in a timely manner.
Tencent Cloud has started to update the SSL certificate of the Cloud API global access layer. This certificate update adopts the "regional and batch" mode, the details are as follows:
Beijing Time:
April 9, 2025: Siliconvalley(US West), Taiwan, Shenzhen [Completed]
April 10-14, 2025: Beijing, Singapore [Completed]
April 15-16, 2025: Shanghai
April 17, 2025: Financial Regions
April 21, 2025: Guangzhou
Impact:
1. The certificate renewal will be completed seamlessly. However, due to the differences of customer's environment, it may have certain unforeseen circumstances. We encourage all customers to remain alert and monitor for API Call. If you notice anything unexpected, please reach out to us immediately.
2. If the success rate fluctuates in the relative region during the certificate update, please restart your service in order to re-establish the connection to the cloud API. If it does not resume, kindly contact our team.
FAQ:
1. Can the update for the new certificate be delayed?
The cloud API certificate will expire on April 26, so it must be updated before that date.
2. If we can't update the root certificate in time. Will our API calls be affected?
No, they won't. We are using a cross-signed certificate, which is compatible with both old and new root certificates.
3. Our application is deployed on cloud server CVM, with a CLB (load balancer) attached to it. Will the certificate update affected us?
No, the cloud API certificate update does not affect customers using IaaS services. Access to CLB does not go through the cloud API.
4. I'm using Java. What version do I need to support the new G2 root certificate?
JRE 1.8.0_131 and above include G2. If you can’t upgrade the JRE in time, it won't impact te API calls, because we are using a cross-signed certificate. However, customers should begin testing and upgrading their JRE to a newer version.
5. My service uses SMS and SES which require Tencent's certificate (public key) to encrypt content. Where can I download the cross-signed certificate?
You can download the cross-signed certificate for our cloud API by clicking https://cloudapi-cert-1305431714.cos.ap-guangzhou.myqcloud.com/cloudapi-cert-2026/tencentcloudapi.com_2026-04.crt .
We apologize for the inconvenience caused to you and thank you for your trust and support for Tencent Cloud. If you have other questions, please Submit a Ticket or Contact Us .
