SearchSupportFree trial
Contact us

Knowledge Base

Knowledge BaseSectigo Certificate Manager (SCM)

Sectigo new Public Roots and Issuing CAs Hierarchy

Updated on August 14, 2025

Summary Overview

Sectigo continues to lead the way in delivering trusted digital security. With the successful incorporation of our new Public Root CAs into major root stores, including Mozilla, Microsoft, Apple, and Google/Chrome, we’re entering a new phase of certificate issuance.

This document shows the new (in-use in 2024/2025) Sectigo issuing CAs and hierarchies, including cross-certificates.

Information is provided on all of the self-signed ‘roots’ and cross-certificates, along with a table showing which versions of popular software the roots were initially included in.
 

What are Sectigo Public Root CAs, and why is this important?

Sectigo Public Root CAs (Certificate Authorities) are foundational elements in ensuring that digital certificates are trusted across the web. They are now incorporated into the major root stores (Mozilla, Microsoft, Apple, Google/Chrome). This means your Sectigo certificates will enjoy enhanced security and trust on all modern platforms, ensuring that your websites, email communications, and other digital transactions remain secure.

Why is Sectigo making this change to the Public Root CAs?

The migration to Sectigo’s new Public Root CAs is a proactive step to ensure our certificates remain highly secure, trusted, and compliant with modern industry standards. By incorporating the new roots into major root stores (Mozilla, Microsoft, Apple, Google/Chrome), Sectigo is securing the future reliability of your certificates. This change also aligns with evolving security requirements, following industry standards and requirements set by root stores and the CA/Browser Forum, ensuring that both we and your organization stays ahead of potential threats while maintaining trust across all platforms and devices.

 

Below are Sectigo Roots and Issuing CA for RSA, and ECC trust path:

 

RSA Trust Path:
Root: SectigoPublicServerAuthenticationRootR46 https://crt.sh/?d=4256644734
Issuing CA: SectigoPublicServerAuthenticationCADVR36 https://crt.sh/?d=4267304690
Issuing CA: SectigoPublicServerAuthenticationCAOVR36 https://crt.sh/?d=4267304698
Issuing CA: SectigoPublicServerAuthenticationCAEVR36 https://crt.sh/?d=4267304687

ECC Trust path:
Root: SectigoPublicServerAuthenticationRoot E46 https://crt.sh/?d=4256644603
Issuing CA: SectigoPublicServerAuthenticationCADVE36 https://crt.sh/?d=4267304693

Issuing CA: SectigoPublicServerAuthenticationCAOVE36 https://crt.sh/?d=4267304689

Issuing CA: SectigoPublicServerAuthenticationCAEVE36 https://crt.sh/?d=4267304692
 

 

What is cross-signing?

CAs often control multiple root certificates, and generally the older the root, the more widely distributed it is on older platforms. In order to take advantage of this fact, CAs generate cross certificates to ensure that their certificates are as widely supported as possible. A cross certificate is where one root certificate is used to sign another.

The cross certificate uses the same public key and Subject as the root being signed.

All our new Root CAs, have been cross signed by both of our long-standing Root CAs:

  • USERTrust ECC Certification Authority (For ECC):
    https://crt.sh/?id=2841410
    Uses sha384WithRSAEncryption. Expires in Jan 2038.
     

    Through these cross-signings, we extend the ubiquity of the new Root CAs, so they are also trusted on legacy systems that may not know about these new CA certificates but do know about the long-standing Root CAs mentioned above.




 

What to Do if You Encounter a Chain Issue:

  1. Ensure the new Root CA and the corresponding Issuing CA are imported into your trusted certificate store.
  2. Import the cross-sign bundle along with your certificate to maintain backward compatibility.
  3. Contact Support if you experience any further issues or need assistance.

    CA bundles attached:


 

Attachments

Root Sectigo Public Server Authentication Root R46 (July 22, 2025)
UserTRUST to R46 to OV R36_Bundle (June 20, 2025)
New DV Sectigo Public CA ECC Bundle (June 9, 2025)
UserTRUST to R46 to DV R36_Bundle (June 20, 2025)
New OV Sectigo Public CA RSA Bundle (June 9, 2025)
New EV Sectigo Public CA RSA Bundle (June 9, 2025)
New OV Sectigo Public CA ECC Bundle (June 9, 2025)
New DV Sectigo Public CA RSA Bundle (June 9, 2025)
New EV Sectigo Public CA ECC Bundle (June 9, 2025)
UserTRUST to R46 to EV R36_Bundle (June 20, 2025)
Issuing CA Sectigo Public Server Authentication CA EV R36 (July 22, 2025)
Issuing CA Sectigo Public Server Authentication CA OV R36 (July 22, 2025)

Need assistance?

Contact our team for help with your purchase or issuing your certificate.

Live chat

Click the button below or click "Chat with an Expert" to start chatting with us now!

Start chat

Call us today

United States
+1 888 266 6361
France
+33 3 66 72 95 95
Italy
+39 02 4792 1708
Spain
+34 900 838 451
Germany
+49 800 1002328
International
+1 914 732 844

Resources