Sectigo AddTrust External CA Root has expired

31 May 2020

As previously announced, the Sectigo AddTrust External CA Root certificate expired on May 30, 2020. Because all Sectigo certificates have been cross-signed with the newer UserTrust RSA Certification Authority root for some time now, this change only has consequences when using outdated systems.

What is the cause?

SSL certificates are signed by a root certificate from a CA, such as Sectigo. Root certificates are included in the trusted root store of browsers, so that the SSL certificates issued below are trusted. The Addtrust External CA root certificate was originally issued on May 30, 2000 and after 20 years expired on May 30, 2020. This will not cause any problems for modern operating systems and browsers: they contain the newer root certificates and can therefore rely on them. Older browsers and operating systems cannot, they only rely on the Addtrust certificate which is no longer supported after May 30. Besides that, systems connecting to your server without the need of a browser may also see an impact.

What is the impact?

All Sectigo certificates remain valid until their end date, and do not require a reissue. Modern browsers and operating systems use the newer ‘UserTrust RSA Certification Authority' which is valid until 2038. With outdated browsers and systems, there is a chance that they do not support that newer root, which may require action.

In case you are still using a certificate issued by intermediates from Comodo, issued before January 19th, 2019, there is a slightly larger chance that non-browser based applications will see an impact.

For this, we recommend performing a test to make sure that your infrastructure is still running as expected. If you do see some new issues, we recommend changing the CA certificates that are used on the server. Simply download the certificates (ZIP) again from our Control Panel, and you will see that a new chain has been added, making use of the AAA Certificate Services root.

After replacing the CA certificates on your server, you should not see any more issues. 

An overview of the supported browsers and systems and a test option for your own systems can be found in our FAQ article.