Sectigo at present offers the ability to cross-sign certificates with the AddTrust legacy root to increase support among very old systems and devices. This root is due to expire at the end of May, 2020. Any applications or installations that depend on this cross-signed root must be updated by May, 2020 or run the risk of outage or displayed error message.
For the vast majority of use cases Sectigo’s standard root supplies the full required client support. For unusual cases, Sectigo offers a new cross signing option with its AAA root.
AddTrust Root Expiration
Sectigo controls a root certificate called the AddTrust External CA Root, which has been used to create cross-certificates to Sectigo’s modern root certificates, the COMODO RSA Certification Authority and USERTrust RSA Certification Authority (as well as the ECC versions of those roots). These roots don’t expire until 2038.
However, the AddTrust External CA Root expires on May 30th 2020.
After this date, clients and browsers will chain back to the modern roots that the older AddTrust was used to cross sign. No errors will be displayed on any updated, newer device or platform which has had updates.
What Sectigo Certificate Users Need to Do
For most use cases, including certificates serving modern client or server systems, no action is required, whether or not you have issued certificates cross-chained to the AddTrust root.
For business processes that depend on very old systems, Sectigo has made available a new legacy root for cross-signing, the “AAA Certificate Services” root. However, please use extreme caution about any process that depends on very old legacy systems. Systems that have not received the updates necessary to support newer roots such as Sectigo’s COMODO root will inevitably be missing other essential security updates and should be considered insecure. If you would still like to cross-sign to the AAA Certificate Services root, please contact Sectigo directly.
Read our full AddTrust root expiration Knowledgebase article.
UPDATE 6/1/20: We are here to help Sectigo customers needing assistance with the AddTrust root expiration. For help options, please see our Support page.