Changes to Root CA hierarchies and trust status
Sectigo is migrating all certificate issuance from legacy multi-purpose Root CAs to modern single-purpose Root CAs to meet evolving browser and security standards. Most transitions are complete, with full migration expected by January 2026. Legacy roots such as COMODO and USERTrust will lose trust in Chrome and Mozilla between 2025 and 2027 due to new policies limiting CA lifespans and enforcing single-purpose roots. Sectigo recommends all customers move to the new R46 and E46 hierarchies to maintain trust and compliance.
Earlier this year, Sectigo initiated a Public Root CA migration, aimed to migrating the majority of certificate issuance from our historical multi-purpose Root CAs to our newer single-purpose Root CAs. This change also aligns with evolving security requirements, following industry standards and requirements set by root stores and the CA/Browser Forum, ensuring that both we and your organization stays ahead of potential threats while maintaining trust across all platforms and devices.
By now, the majority of certificate issuance has been migrated to new hierarchies, with the remaining being migrated over in the upcoming weeks.
With this notification, we want to update you with further changes and the trust status of our previous generations of Root CAs.
Continued transition away from legacy CAs
We continue with our Root CA migration and are aiming to move all pending customers to the new single-purpose hierarchies (Sectigo Public Server Authentication Root R46 or Sectigo Public Server Authentication Root E46). For Our expectation is that this will be completed by January of 2026.
Removal of trust for legacy CAs
Not only is our migration towards the new single-purpose Root CAs one of following best practice. It’s one of essential need. Over the last few years, several trusted root programs have made policy changes, which means Root CAs will be removed no later than 15 years after the creation of their private keys. Additionally the Chrome root program has announced it will set an SCTNotAfter date for any root not considered a single purpose root. For Sectigo’s legacy CAs, this will have an effect on all multi-purpose roots. The below table show when which Root CA is expected have its trust for TLS certificates removed:
Root CA | Chrome TLS SCTNotAfter date | Chrome and Mozilla TLS Distrust date |
AAA Certificate Services | N/A | 2025-04-15 |
COMODO Certification Authority | N/A | 2026-04-15 |
COMODO ECC Certification Authority | 2026-06-15 | 2027-04-15 |
COMODO RSA Certification Authority | 2026-06-15 | 2027-04-15 |
USERTrust ECC Certification Authority | 2026-06-15 | 2027-04-15 |
USERTrust RSA Certification Authority | 2026-06-15 | 2027-04-15 |
Explainer:
The “Chrome and Mozilla TLS Distrust date” dates entail a direct distrust of the TLS trust for the Root CA. Any certificate already issued, will no longer be trusted within Chrome and Mozilla as of this date.
The “Chrome TLS SCTNotAfter date” states the earliest date which Chrome may set as an SCTNotAfter date. An SCTNotAfter-type distrust entails that any certificates published to CT logs and issued prior to this date will remain trusted until their expiration date, where-as certificates issued after this date, will not.
Note: Mozilla is the gate-keeper of NSS. NSS as a trusted root store, is utilized by a vast majority of Linux and BSD operating systems, amongst others. As such any trust removal from Mozilla will similarly be reflected in these locations.