Speed up SSL issuance
GoGetSSL® offers fastest issuance of SSL due to use of LEI code and API automation. Legal Entity Identifier (LEI) is a global identity code, just like DUNS. Learn how LEI works.
Upcoming AddTrust Root Expiration – What You Need to Know. Sectigo at present offers the ability to cross-sign certificates with the AddTrust legacy root to increase support among very old systems and devices. This root is due to expire at the end of May, 2020. Any applications or installations that depend on this cross-signed root must be updated by May, 2020 or run the risk of outage or displayed error message. For the vast majority of use cases Sectigo’s standard root supplies the full required client support.
For unusual cases, Sectigo offers a new cross signing option with its AAA root, which will does not expire until 2038. Read this article for a full explanation of cross signing, the AddTrust root expiration, and potential alternatives beyond that expiration date.
Root certificates are self-signed certificates. This means the “Issuer” and ”Subject” are the same. A root certificate becomes a trusted root certificate (or trusted CA, or trust anchor) by virtue of being included by default in the trust store of a piece of software such as a browser or OS. These trust stores are updated by the browser software or OS frequently, often as part of security updates, but on older outdated platforms they were often updated only as part of a full software update – such as Windows Service Packs or optional Windows Update releases.
Certificates for your site are issued from a “chain” of issuing or “intermediate” CA that completes a path back to these trusted root certificates.
It is important to note that security updates are of paramount importance today. There may be devices which do not have updates to include modern roots – but as a consequence also do not support standards required by the modern internet. A good example is Android. While Android 2.3 Gingerbread does not have the modern roots installed and relies on AddTrust, it also does not support TLS 1.2 or 1.3, and is unsupported and labelled obsolete by the vendor.
CAs often control multiple root certificates, and generally the older the root the more widely distributed it is on older platforms. In order to take advantage of this fact, CAs generate cross certificates to ensure that their certificates are as widely supported as possible. A cross certificate is where one root certificate is used to sign another. The cross certificate uses the same public key and Subject as the root being signed.
For example, a cross certificate could be:
Subject: COMODO RSA Certification Authority Issuer: AddTrust External CA Root https://crt.sh/?id=1044348
Uses the same Subject and public key as the self-signed COMODO root certificate. Browsers and clients will chain back to the “best” root certificate they trust.
Sectigo controls a root certificate called the AddTrust External CA Root, which has been used to create cross-certificates to Sectigo’s modern root certificates, the COMODO RSA Certification Authority and USERTrust RSA Certification Authority (as well as the ECC versions of those roots). These roots don’t expire until 2038.
However, the AddTrust External CA Root expires on May 30th 2020. After this date, clients and browsers will chain back to the modern roots that the older AddTrust was used to cross sign. No errors will be displayed on any updated, newer device or platform which has had updates
For most use cases, including certificates serving modern client or server systems, no action is required, whether or not you have issued certificates cross-chained to the AddTrust root.
For business processes that depend on very old systems, Sectigo has made available a new legacy root for cross-signing, the “AAA Certificate Services” root. However, please use extreme caution about any process that depends on very old legacy systems. Systems that have not received the updates necessary to support newer roots such as Sectigo’s COMODO root will inevitably be missing other essential security updates and should be considered insecure. If you would still like to cross-sign to the AAA Certificate Services root, please contact Sectigo directly.
Get a Domain Validation SSL certificate within just 5 minutes using our friendly and automated system. No paperwork, callback or company required.
Found a better price? We will match it - guaranteed. Get the best possible price in the World with us. The correct place to save your money.
Try 90-day Trial SSL Certificate before the real purchase to test cert's functionality. 99.9% browser and mobile support. Free reissues.
Customer satisfaction is our major concern. Get a full refund within 30 days for any purchase of SSL certificates with 100% guarantee.
GoGetSSL® offers fastest issuance of SSL due to use of LEI code and API automation. Legal Entity Identifier (LEI) is a global identity code, just like DUNS. Learn how LEI works.