Sectigo AddTrust External CA Root Expiring May 30, 2020

1 Star2 Stars3 Stars4 Stars5 Stars (10 votes, average: 4.70 out of 5)
Sectigo AddTrust External CA Root Expiring May 30, 2020

Currently, Sectigo offers the ability to cross-sign certificates with the legacy root of AddTrust in order to expand support among very old systems and devices but, it will now expire on 30th May 2020.

Sectigo’s standard root provides the full client support required for the vast majority of usage cases. Sectigo offers a new cross signing option for unusual cases with its AAA root, which will not expire until 2038.

For a full explanation of cross signing, the AddTrust root expiration, and possible alternatives beyond that expiration date, read this article.

What Is a Root Certificate?

In cryptography, a root certificate is a public key certificate. Root certificates are self-signed and support a public key network based on X.509.

A root certificate becomes a trusted root certificate (or trusted CA) by virtue of being included in a piece of software like a browser or OS by default in the trust store. These trusted stores are frequently updated by the client software or OS, often as part of security updates, but have often been updated only as part of a full software update on older obsolete platforms.

Certificates are issued for your site from a “chain” of issuance or “intermediate” CA that completes a path back to these trusted root certificates. It is important to note that security updates are very crucial. There may be tools that do not have updated to include modern roots – but as a result, it also does not follow support standards required by the modern internet.

Example: Android 1.5 Cupcake does not have the modern roots installed and relies on AddTrust, it also does not support TLS 1.2 or 1.3, and is unsupported and outdated by the vendor.

What Is Cross-Signing?

Certificate Authorities frequently control multiple root certificates, and the older the root is generally the more widely distributed on older platforms. To take advantage, CAs generate cross-certificates to ensure that their certificates are supported as widely as possible.

The cross-certificate uses the same public key as the root being signed, and the same subject.

For example:
Subject: COMODO RSA Certification Authority
Issuer: AddTrust External CA Root

Uses the same Subject and public key as the self-signed Comodo root certificate.

AddTrust External CA Expiration

Sectigo operates a root certificate named the AddTrust External CA Root used to establish cross-certificates to Sectigo’s modern root certificates, the COMODO RSA Certification Authority and USERTrust RSA Certification Authority. Until 2038, those roots do not expire.

The AddTrust External CA Root, however, expires on May 30th 2020.

After this date, clients and browsers will be chaining back to the modern roots used to cross sign with the older AddTrust. No errors will be shown on any patched, existing or modified system or network.

Certificate Chain Diagram

A legacy browser or older device that doesn’t have the modern “USERTrust” root wouldn’t trust it and the AddTrust External CA Root would look further up the chain to a root it does trust. A modern browser would have already installed the USERTrust root, and trust it without relying on the older AddTrust root.

What you really need to do

No action is required for most use cases, including certificates that serve modern client or server systems, whether you have issued cross-chained certificates to the AddTrust root or not.

Sectigo has made available a new legacy root for cross-signing business processes that rely on very old systems, the “AAA Certificate Services” root. Please take extreme caution, however, over any mechanism that relies on very old legacy systems. Systems that have not provided the requisite upgrades to help newer roots like Sectigo’s COMODO root would eventually lack certain important security updates and should be deemed vulnerable.

If you still wanted to cross-sign to the AAA Certificate Services root, contact Sectigo.


Will my certificate remain in trust after 30 May 2020?

Yeah. All modern customers and operating systems have the newer, state-of-the-art COMODO and USERTrust roots that will not expire until 2038.

You will need to update and install the newer Sectigo roots, On platforms where the trust stores cannot be updated and make sure that those devices also have necessary security updates from the vendor.

Do I need to reinstall or reissue my certificate?

No. Your certificate will remain in trust until its normal expiry date and will not need to be reinstalled or reissued.Unless you wish, you can decide to stop installing the cross-certificate on your servers. If you need legacy compatibility after the AddTrust expiry we have a replacement cross-certificate that you can install in place of the AddTrust cross-certificate on your servers.

Precautionary steps and notes about existing environments/devices:

  • You may need to update any such systems to include more modern roots if it’s possible to do so. If the platform does not support modern algorithms (e.g. SHA-2,) then you will need to discuss updates with that system vendor.
  • Customers who have incorporated AddTrust External CA Root into their application or custom legacy systems may need to incorporate the new USERTrust RSA CA Root update before the expiry date of 30th May 2020.
  • Sectigo has other, older and legacy roots apart from the AddTrust root, and in order to extend backward compatibility, we have generated cross-certificates. The root of “AAA Certification Services” signs the cross-certification. For information, please contact your account manager.

Can I check that I won’t see any errors?

Yeah. If you have a certificate valid for June 2020 and beyond, you can forward the clock to 1st June 2020 on your system and test the site.

What if I have an application that only trusts AddTrust?

If only the AddTrust External CA root is trusted by a system or application, and not the more modern Comodo or USERTrust roots – errors can occur after 30th May 2020.

Comments are closed, but trackbacks and pingbacks are open.