Sectigo offers the power to cross-sign certificates with the legacy root “AddTrust External CA” so as to expand support among very legacy systems and devices. This root is expired on May 30, 2020.
All modern clients should largely be unaffected. However, legacy clients, website or other online service uses other applications or integrations may need a client or server reconfiguration to avoid error outage of service.
For the majority use cases, a standard root of Sectigo supplies the full required client support. Sectigo provides a new cross-signing root for unusual cases which is valid till 2038.
Refer to this article for a full explanation of an expired root and possible alternatives beyond that expiration date.
AddTrust External CA Expiration
Sectigo controls a root certificate referred to as the “AddTrust External CA Root”, that has been accustomed create cross-certificates to Sectigo’s modern root certificates, the “COMODO RSA Certification Authority” and “USERTrust RSA Certification Authority” which are valid till 2038.
Devices that received security updates after mid-2015 ought to have the latest USERTrust RSA Certification Authority root certificate (valid until Jan 2038) in their operating system or browser trust-stores and largely be unaffected.
In most of the modern servers, the certificate chain will work even after the expiration of the “AddTrust External CA Root” Root” as way as you’ve got a brand new “USERTrust RSA Certification Authority” or “COMODO RSA Certification Authority” within the trust-store. After this date, clients and browsers will chain back to these modern roots which are valid till 2038.
A legacy browser or older device that doesn’t have the latest “USERTRust” root wouldn’t trust it and so will look further up the chain to a root it does trust, the AddTrust External CA Root. A more modern browser would have the USERTrust root already installed and trust it without needing to rely on the older AddTrust root.
To whom does this affect?
- Legacy clients that have not received security updates and connect to Secure Socket Layer
- The clients that are too old and do not have modern ” USERTrust RSA Certification Authority root” in the trust-store.
- The clients that are configured to trust “AddTrust External CA Root” and ignores the trust-store.
How can I check if I am using the expired root?
You can check if you are using the expired root from below link:
- Go to “SSL checker“
- Enter your domain/hostname
- Click on check
- Check for the “AddTrust External CA Root” as “Issuer Common Name” and the expiration date. If it is “May 2020” you have the “AddTrust External CA Root” installed.
How can I fix this problem?
There are a couple of ways to fix this problem, the preferred option depends based on your server type and its configuration.
Reconfigure the client to use the operating system or vendor-managed trust-store if possible. If not, reconfigure the consumer to expressly trust either the “USERTrust RSA Certification Authority” or “COMODO RSA Certification Authority”.
You can find the cross-certificates from below links:
- USERTrust RSA Certification Authority: https://crt.sh/?id=1199354
- COMODO RSA Certification Authority: https://crt.sh/?id=1720081
This will build a chain of trust with a cross-signed certificate, intermediate and a leaf certificate as given below:
- USERTrust RSA Certification Authority/COMODO RSA Certification Authority [Root]
- RSA Server CA [Intermediate 1]
- End Entity [Leaf Certificate]
Update CA-bundle on your server.
Depending on your server type and configurations, you may need to update the bundle or install certificate from a scratch.
You can download the bundle files corresponding to your SSL type from below:
|Issuer Common Name||Bundle|
|Sectigo RSA||SHA-2 root (current):
SHA-1 root (supported by legacy systems):
|Comodo RSA||SHA-2 root (current):|
Reissue your certificate.
- Generate a new CSR and private key from your server with the domain/hostname.
- Go to your account.
- Go to the reissue section.
- Paste the new CSR there and click reissue.
- Soon the certificate is reissued, you will need to install it along with new root and intermediate files received.
For more information: