Knowledge Base
Sectigo Public Root CAs Migration FAQ
Overview
Starting in 2025, all new certificate issuance moves to Sectigo's new Public Root CAs, which are now included in the major root stores (Mozilla, Microsoft, Apple, and Google/Chrome). This affects SSL/TLS certificates used for website security and S/MIME (Secure/Multipurpose Internet Mail Extensions) certificates used for email. By the end of this article you will know the migration date for each certificate type — Domain Validation (DV), Organization Validation (OV), Extended Validation (EV), and S/MIME — what you need to do to prepare, and the exact root and subordinate CAs before and after migration. The certificate tables below cover both RSA (Rivest–Shamir–Adleman) and ECC (Elliptic Curve Cryptography) keys. Your existing certificates remain valid until they expire.
Key migration dates
- S/MIME: March 1, 2025
- EV TLS: April 15, 2025
- OV TLS: May 15, 2025
- DV TLS: June 2, 2025
New certificates issued after each date come from the new Public Root CAs. The change-over happens at some point on the stated date.
What are Sectigo Public Root CAs, and why is this important?
Sectigo Public Root Certificate Authorities (CAs) are the foundational certificates that let digital certificates be trusted across the web. They are now included in the major root stores (Mozilla, Microsoft, Apple, and Google/Chrome), so your Sectigo certificates have enhanced security and trust on modern platforms for websites, email, and other digital transactions.
What is changing with my Sectigo certificates?
All certificate issuance migrates to the new Sectigo Public Root CAs on the dates listed under Key migration dates. This affects SSL/TLS certificates used for website security and S/MIME certificates used for email. After each date, all newly issued certificates of that type come from the new Public Root CAs.
What do I need to do to prepare?
- Discontinue certificate pinning: Review whether you use certificate pinning in any form. Sectigo strongly recommends against it. If you pin a Root CA or Subordinate CA, make sure the new Root CAs and Subordinate CAs are accepted.
- Update used certificates: If you have hard-coded specific Root CAs or Subordinate CAs in your implementation tools, update them to install the correct CA certificates after the switch-over.
- Update your systems: Review your certificate profiles and ensure everything is ready to accept certificates from the new Sectigo Public Roots.
Will this impact existing certificates?
No. Your existing certificates remain valid until they expire. The change applies only to certificates issued after the migration dates. If you hold a multi-year subscription certificate, a reissue occurs after the migration dates, and Sectigo supplies the new Public Root CAs with your end-entity certificate.
What is cross-signing?
CAs often control multiple root certificates, and generally the older the root, the more widely distributed it is on older platforms. CAs generate cross-certificates to make their certificates as widely supported as possible. A cross-certificate is where one root certificate is used to sign another, using the same public key and Subject as the root being signed.
Which CAs are used for S/MIME before and after March 1, 2025?
|
Key |
Current Root CA |
Current Subordinate CA |
New Root CA (Mar 1, 2025) |
New Subordinate CA |
|
RSA |
USERTrust RSA Certification Authority (crt.sh/?d=1199354) |
Sectigo RSA Client Authentication and Secure Email CA (crt.sh/?d=924467858) |
Sectigo Public Email Protection Root R46 (crt.sh/?d=4256644602) |
Sectigo Public Email Protection CA R36 (crt.sh/?d=4267304694) |
|
ECC |
USERTrust ECC Certification Authority (crt.sh/?d=2841410) |
Sectigo ECC Client Authentication and Secure Email CA (crt.sh/?d=924467856) |
Sectigo Public Email Protection Root E46 (crt.sh/?d=4256644601) |
Sectigo Public Email Protection CA E36 (crt.sh/?d=4267304699) |
Which CAs are used for EV TLS before and after April 15, 2025?
|
Key |
Current Root CA |
Current Subordinate CA |
New Root CA (Apr 15, 2025) |
New Subordinate CA |
|
RSA |
USERTrust RSA Certification Authority (crt.sh/?d=1199354) |
Sectigo RSA Extended Validation Secure Server CA (crt.sh/?d=924467854) |
Sectigo Public Server Authentication Root R46 (crt.sh/?d=4256644734) |
Sectigo Public Server Authentication CA EV R36 (crt.sh/?d=4267304687) |
|
ECC |
USERTrust ECC Certification Authority (crt.sh/?d=2841410) |
Sectigo ECC Extended Validation Secure Server CA (crt.sh/?d=924467862) |
Sectigo Public Server Authentication Root E46 (crt.sh/?d=4256644603) |
Sectigo Public Server Authentication CA EV E36 (crt.sh/?d=4267304692) |
Which CAs are used for OV TLS before and after May 15, 2025?
|
Key |
Current Root CA |
Current Subordinate CA |
New Root CA (May 15, 2025) |
New Subordinate CA |
|
RSA |
USERTrust RSA Certification Authority (crt.sh/?d=1199354) |
Sectigo RSA Organization Validation Secure Server CA (crt.sh/?d=924467857) |
Sectigo Public Server Authentication Root R46 (crt.sh/?d=4256644734) |
Sectigo Public Server Authentication CA OV R36 (crt.sh/?d=4267304698) |
|
ECC |
USERTrust ECC Certification Authority (crt.sh/?d=2841410) |
Sectigo ECC Organization Validation Secure Server CA (crt.sh/?d=924467859) |
Sectigo Public Server Authentication Root E46 (crt.sh/?d=4256644603) |
Sectigo Public Server Authentication CA OV E36 (crt.sh/?d=4267304689) |
Which CAs are used for DV TLS before and after June 2, 2025?
|
Key |
Current Root CA |
Current Subordinate CA |
New Root CA (Jun 2, 2025) |
New Subordinate CA |
|
RSA |
USERTrust RSA Certification Authority (crt.sh/?d=1199354) |
Sectigo RSA Domain Validation Secure Server CA (crt.sh/?d=924467861) |
Sectigo Public Server Authentication Root R46 (crt.sh/?d=4256644734) |
Sectigo Public Server Authentication CA DV R36 (crt.sh/?d=4267304690) |
|
ECC |
USERTrust ECC Certification Authority (crt.sh/?d=2841410) |
Sectigo ECC Domain Validation Secure Server CA (crt.sh/?d=924467852) |
Sectigo Public Server Authentication Root E46 (crt.sh/?d=4256644603) |
Sectigo Public Server Authentication CA DV E36 (crt.sh/?d=4267304693) |
How will Sectigo ensure backward compatibility with legacy systems?
All of Sectigo's new Root CAs are cross-signed by Sectigo's long-standing root CAs:
- AAA Certificate Services
- USERTrust RSA Certification Authority (for RSA)
- USERTrust ECC Certification Authority (for ECC)
These cross-signings extend the trust of the new Root CAs to legacy systems that recognize the long-standing roots but do not yet know the new CA certificates.
How will this impact partners and customers using their own branded Subordinate CAs?
If you use one or more branded Subordinate CAs, expect further communication. Sectigo will reach out throughout 2025 to migrate these to new subordinate CAs under the Sectigo Public Root infrastructure.
How is Sectigo preparing for future industry changes?
Sectigo continuously monitors industry trends and standards, so customers are equipped with current, secure technologies. This migration is one step in Sectigo's ongoing effort to keep your certificates aligned with evolving security practices.
Need assistance?
Contact our team for help with your purchase or issuing your certificate.
Live chat
Click the button below or click "Chat with an Expert" to start chatting with us now!
