Knowledge Base

Knowledge BaseRoot & Intermediate(s)

Sectigo Root Certificates

Updated on April 17, 2025

Sectigo Root Certificates

Currently Sectigo operate 4 ‘modern’ root certificates:

(Each certificate can be viewed and downloaded from the crt.sh link)

These root certificates were added into the following platforms:

Apple:

Microsoft:

Windows XP (via Automatic Root Update; Note: ECC wasn't supported by Windows until Vista)
Windows Phone 7

Mozilla:

Google:

Oracle:

Opera:

360 Browser:

Additionally, each of the 4 modern roots have been cross-signed by an older Sectigo root certificate:

This cross-certification provides additional backward-compatibility for legacy versions of software:

The cross-certificates for each of the four modern roots, signed by AAA Certificate Services can be found here:

AAA Certificate Services - USERTrust RSA Certification Authority - https://crt.sh/?id=1282303295
AAA Certificate Services - USERTrust ECC Certification Authority - https://crt.sh/?id=1282303296
AAA Certificate Services - COMODO RSA Certification Authority - https://crt.sh/?id=2545965608
AAA Certificate Services - COMODO ECC Certification Authority - https://crt.sh/?id=2545966120

FAQs

What is cross-signing?

A root certificate is a self-signed certificate that has been included in a trust store by a software or OS vendor, so that users and clients of that product automatically trust the root certificate.
CAs often control multiple root certificates, and generally the older the root the more widely distributed it is on older platforms.
To take advantage of this and ensure compatibility across as many platforms, CAs generate cross certificates to ensure that their certificates are as widely supported as possible.
A cross certificate is where one root certificate is used to sign another.
The cross certificate uses the same public key and Subject DN (Distinguished Name) as the root being signed.
Browsers and clients will chain back to the “best” root certificate they trust.

When do the root certificates expire?

The AAA Certificate Services root expires in 2028, but will be retired before that date.
The requirement to use the cross-signing for legacy compatibility is diminishing all the time, as most modern, up-to-date software already has the modern roots embedded in the trust store.
The other modern roots expire in 2038.

Are new root certificates being added?

SMIME (After March 1^st. 2025)

RSA: Sectigo Public Email Protection Root R46 (https://crt.sh/?d=4256644602)

ECC: Sectigo Public Email Protection Root E46 (https://crt.sh/?d=4256644601)

DV TLS Roots (After June 2, 2025)

RSA: Sectigo Public Server Authentication Root R46 (https://crt.sh/?d=4256644734)

ECC: Sectigo Public Server Authentication Root E46 (https://crt.sh/?d=4256644603)

OV TLS Roots (After May 15, 2025)

RSA: Sectigo Public Server Authentication Root R46 (https://crt.sh/?d=4256644734)

ECC: Sectigo Public Server Authentication Root E46 (https://crt.sh/?d=4256644603)

EV TLS Roots (After April 15, 2025)

RSA: Sectigo Public Server Authentication Root R46 (https://crt.sh/?d=4256644734)

ECC: Sectigo Public Server Authentication Root E46 (https://crt.sh/?d=4256644603)

Code signing:

RSA: OV SectigoPublicCodeSigningRootR46_USERTrust Root [Cross Signed ] Download

RSA: SectigoPublicCodeSigningRootR46_USERTrust Root [ Cross Signed ] Download