Free Trial
Contact Us

Knowledge Base

Knowledge BaseSectigo Certification Authority

Sectigo Chain Hierarchy and Intermediate Roots

Updated on October 11, 2024

Overview

Sectigo’s public roots are as widely trusted as any other in the industry. In fact, Sectigo’s root ubiquity is well in excess of 99.99% of systems in use today and is 100% for modern browsers, mobile devices, and operating systems.
 
As a rebrand of the company formerly known as Comodo CA, Sectigo owns and operates all the old legacy Comodo roots.
 
In January 2019 we rolled out our Sectigo-branded intermediate on our legacy USERTrust root.  

This root has proven reliable in production with ubiquitous browser compatibility since that date.
 
Enterprise customers have their choice of using the new Sectigo-branded root or the old Comodo-branded root indefinitely.

What is Root ? What is Intermediate?

A Root Certificate: A 'root' certificate is generally expected to mean a certificate which is self-signed (the same Subject and Issuer), but is also included by a vendor in a trusted root store.
There are 3 root certificates we're generally talking about (5 if you include the ECC variants of COMODO CA and USERTRUST, which We haven't included here):

 
AAA Certificate Services:
https://crt.sh/?id=331986
Uses sha1WithRSAEncryption. Expires in Jan 2028.
 
USERTrust RSA CA:
https://crt.sh/?id=1199354
Uses sha384WithRSAEncryption. Expires in Jan 2038.
 
COMODO RSA CA:
https://crt.sh/?id=1720081
Uses sha384WithRSAEncryption. Expires in Jan 2038.
 
The AAA Certificate Services Root is owned by Sectigo by way of acquisition many years ago, the COMODO and USERTrust were generated by Sectigo (then Comodo).
AAA certificate Services has been included in some root programs for a time longer than
the newer SHA-2 COMODO/USERTrust roots.
 
Now, while a very small number, there are still some platforms which may not have the newer SHA-2 roots for various reasons. As such, since we generated these newer roots, we also signed 'cross certificates' where the AAA Certificate Services were used to sign each of the SHA-2 CAs. 
One example of the USERTrust RSA CA being signed by AAA Root: https://crt.sh/?id=1282303295.

(It should be noted that while the AAA Root CA itself uses SHA-1, that doesn't pose any security risk to use it. The problems with SHA-1 were the feasibility of collisions which could be pre-computed,
but these risks manifest themselves when *new* certificates are created and not when a certificate using SHA-1 is already generated and distributed.
This is why the various root programs of Microsoft, Mozilla, Apple, and Google continued to include
and have no concerns about chaining back to these older roots.
Of course, many of them are expiring in the short term and so will be out of use soon).

-Intermediate Certificate: An intermediate certificate works as a substitute of a root certificate. An intermediate certificate plays a “Chain of Trust” between an end entity certificate and a root certificate. (Intermediate should be issued by the Root in order to complete the chain of trust).

-A Cross signed certificate: A certificate issued from a certificate authority (CA) that signs the public key of another CA not within its trust hierarchy, that establishes a trust relationship between the two CAs. (It's also called Intermediate 2 that signs Intermediate 1).

-End Entity Certificate: An end-entity certificate is a digitally-signed certificate issued by a Certificate Authority to a person or system.

Please find the "Figure" below to show our Chain of Trust.

Important Note: All Trust chains are valid and used by clients until today.
If the cross signed certificate does not exist in the chain, the end entity certificate will use Path A or B.
If the cross signed certificate exists, then the end entity will use Trust path C or D.

Certification Path Validation is done client-side automatically and there should be no changes required by Customer's End.
 ***Testing is still recommended, for further details please contact support.*** 

Trust Chain Path A:
USERTrust RSA Certification Authority (Root CA) [Root]
Sectigo RSA DV/OV/EV Secure Server CA [Intermediate 1]
End Entity [Leaf Certificate]

Trust Chain Path B:
USERTrust RSA Certification Authority (Root CA) [Root]
Comodo RSA DV/OV/EV Secure Server CA [Intermediate 1]
End Entity [Leaf Certificate]

Trust Chain Path C:
AAA Certificate Services [Root]
USERTrust RSA xSigned using AAA CA (Exp. 2028) Intermediate 2
Sectigo RSA DV/OV/EV Secure Server CA [Intermediate 1]
End Entity [Leaf Certificate]

Trust Chain Path D:
AAA Certificate Services [Root]
Comodo RSA xSigned using AAA CA (Exp. 2028) Intermediate 2
Comodo RSA DV/OV/EV Secure Server CA [Intermediate 1]
End Entity [Leaf Certificate]







Related: For Sectigo Intermediate Certificates, please refer to the below links:
Sectigo Intermediate Certificates - RSA 
Sectigo Intermediate Certificates - ECC
Changes to Comodo CA Issuing CAs - NEW Sectigo branded issuing CAs

 

Attachments

Comodo Chain of Trust (January 31, 2020)
Sectigo_Chain_Hierarchy (January 31, 2020)

Need help?

Need help making a purchase? Contact us today to get your certificate issued right away.

Live chat

Click the button below or click "Chat with an Expert" to start chatting with us now!

Start Chat

Call us today

United States
+1 888 266 6361
France
+33 3 66 72 95 95
Italy
+39 02 4792 1708
Spain
+34 900 838 451
Germany
+49 800 1002328
International
+1 914 732 844

Resources