Changes to SSL certificate signing for cumulocity.com certificates and subdomains

News Security updates
1

Techcommunity Image TLS
Techcommunity Image TLS1280Γ—714 185 KB

Executive summary

What has happened?

The certificate supplier used by Cumulocity has changed their method of signing the certificates and chaining. This only impacts the platform certificate provided by Cumulocity, not any device certificates.

Major browser ecosystems (Chromium and Mozilla) are removing trust in the Starfield Class 2 root. Certificate chains relying on this root may eventually fail validation in browsers, operating systems, and TLS clients.

Continuing to use certificate chains that depend on this root may result in:

  • TLS connection failures in modern browsers and clients
  • Certificate validation errors
  • Service disruptions while accessing Cumulocity APIs
  • Compatibility issues for devices

Who is impacted?

You are impacted if you meet both of the following criteria:

  1. Environment: You use any of these public SaaS domains:

  2. Device Security: Your devices verify certificates via:

    • Certificate Pinning (Hardcoding a specific certificate or intermediate).
    • Strict Trust Stores (A limited list of allowed Root CAs).

What to do?

Perform the following checks:

  • Check if you use certificate pinning and if yes, adjust the settings to also allow the new configuration
  • Check that the device truststore data is up to date and also contains the new root anchors

Important to know

This is not an issue with the product or service that Cumulocity is offering. Cumulocity has to rotate their SSL certificates regularly when these certificates expire, thus customers are required to check and potentially change their setup to avoid device connection issues or service interruptions.

This is a routine security rotation. Failure to update your devices is not a platform defect but a requirement of maintaining secure, modern TLS communication.

Detail information

Cumulocity is using certificates from GoDaddy Certificate Authority (CA) which introduces changes to their chain. What has happened is the following:

There have been industry and GoDaddy-related certificate chain changes, which are mostly about intermediates and cross-signed roots being retired, not a completely new GoDaddy root being introduced recently. However, these changes can make it look like the root changed if you inspect the chain. GoDaddy moved from the older cross-signed certificate chain (compatible with the Class 2 root) to the standard chain terminating at Go Daddy Root Certificate Authority – G2.

1. Retirement of the older Starfield chain

Historically many GoDaddy certificates chained like this:

Starfield Class 2 Root

↓

Go Daddy Secure Certificate Authority (intermediate)

↓

Cumulocity certificate

The Starfield Class 2 root is being deprecated, and support timelines have been winding down because major browsers stopped trusting it.

Because of that, newer chains typically use:

Go Daddy Root Certificate Authority - G2

↓

Go Daddy Secure Certificate Authority - G2

↓

Cumulocity certificate

or similar variants.

2. Cross-sign removal changes what the chain looks like

Previously many certificates included cross-signed intermediates or roots for compatibility. Those are gradually disappearing as old roots age out.

Effects customers may notice:

  • The root at the top of the chain is different (e.g., G2 instead of older Starfield).
  • The chain may contain fewer certificates.
  • Some TLS libraries that expect the old chain order or pinned intermediates can fail.

3. Recent platform migrations (2025–2026)

There have also been ecosystem changes where platforms using GoDaddy certificates changed chains:

  • Azure App Service certificates (including GoDaddy-issued ones) migrated to a new certificate chain around early 2026, :double_exclamation_mark: which can affect devices, other platforms or services that pin specific certificates. :double_exclamation_mark:

4. When this actually causes problems

You typically see errors for your devices if:

  • Your application pins an intermediate or root.
  • Your trust store does not contain the newer root (G2).
  • A TLS client expects a specific chain order.
  • You manually install an outdated CA bundle.

Typical errors look like:

  • SSL_get_current_cipher() returned NULL
  • certificate verification failed
  • unable to get local issuer certificate

When Cumulocity will replace the certificates as part of their normal operations, the new root certificate and chain will become visible.

5. What needs to be done?

Test Immediately

The EU-Latest environment (*.eu-latest.cumulocity.com) already uses the new G2 certificate chain. Connect your test devices here to verify compatibility.

Update Device Configuration

  • If using Pinning: Adjust settings to allow the new G2 Root and Intermediate certificates.
  • If using Trust Stores: Ensure the Go Daddy Root Certificate Authority - G2 is installed and trusted.
  • Check CA Bundles: Ensure your devices aren’t using an outdated or hardcoded CA bundle.

Important: If you are in doubt please contact the Cumulocity support team.

3 Likes