Knowledge Base

Overview of Sectigo's Trust Ecosystem

Sectigo, renowned for its high trust levels within the industry, boasts a 99.99% ubiquity rate for current systems and guarantees full compatibility with modern browsers, mobile devices, and operating systems. Following its transition from Comodo CA, Sectigo has maintained the original Comodo roots and, as of January 2019, has implemented the Sectigo-branded intermediate certificate. Originating from the legacy USERTrust root, this intermediate certificate is notable for its reliability in production environments and extensive browser compatibility.

 

For enterprise clients, Sectigo offers a choice between the new Sectigo-branded root and the traditional Comodo-branded root, both available for indefinite use.

 

Understanding Roots and Intermediate Certificates

 

• Root Certificates

A root certificate is essentially a self-signed credential that a vendor includes in a trusted root store. The three primary root certificates often referenced are:

 

• AAA Certificate Services: This root certificate, now under Sectigo's ownership through acquisition, employs sha1WithRSAEncryption and is set to expire in January 2028. It can be found at https://crt.sh/?id=331986

 

• USERTrust RSA CA: Generated by Sectigo (formerly Comodo), this root certificate utilizes sha384WithRSAEncryption and is due to expire in January 2038. The AAA Certificate Services Root is a more established presence in some root programs compared to the newer SHA-2 roots. Available at https://crt.sh/?id=1199354

 

To preserve compatibility with platforms less accommodating of the newer SHA-2 roots, cross certificates were signed using the AAA Certificate Services for the SHA-2 CAs. Despite the use of SHA-1 in AAA Root CA, this doesn't pose a security risk, as the concerns about SHA-1 collisions manifest during the creation of new certificates.

 

InCommon Intermediate Certificate

An intermediate certificate acts as a conduit between an end-entity certificate and a root certificate, forming part of the "Chain of Trust." It must be issued by the Root to complete this chain.

 

• InCommon RSA Server CA 2:

This intermediate certificate uses sha384WithRSAEncryption and is scheduled to expire in November 2032. Viewable at https://crt.sh/?d=8079908730

 

Cross-Signed Certificate

Known alternatively as Intermediate 2, a cross-signed certificate is issued by one Certificate Authority (CA) to sign the public key of another CA outside its trust hierarchy, thus creating a trust link between the two authorities.

 

• USERTrust RSA xSigned using AAA CA (Exp. 2028):

This certificate employs sha384WithRSAEncryption and will expire in December 2028. It can be accessed at https://crt.sh/?d=1282303295

 

Leaf or End-Entity Certificate:

This is a digital certificate a Certificate Authority issues to an individual or system, signifying the end of the trust chain.

 

Visualization of the Chain of Trust

Figure below illustrates Sectigo’s Chain of Trust:

Important Note: Clients continue to utilize both Trust chains currently. Depending on the presence of the cross-signed certificate in the chain, the end entity certificate will follow either Path A or Trust path B.

 

• Trust Chain Path A:

  • USERTrust RSA Certification Authority (Root CA) [Root]

  • InCommon RSA Server CA 2 [Intermediate]

  • End Entity [Leaf Certificate]

 

 

 

 

• Trust Chain Path B:

  • AAA Certificate Services [Root]

  • USERTrust RSA xSigned using AAA CA (Exp. 2028) [Intermediate 2]

  • InCommon RSA Server CA 2 [Intermediate 1]

  • End Entity [Leaf Certificate]

 

 

 

Certification Path Validation

The validation of the certification path is performed automatically on the client side. No alterations should be necessary from the customer's end. However, testing remains advisable. For additional information, please contact support.

Testing Notice: Testing the trust chains is recommended, despite the automatic client-side validation. Contact support for detailed guidance.