Transition from Comodo CA to Sectigo
From November 1st, Comodo CA is called Sectigo. The company and brandname changed from Comodo CA to Sectigo. This also applies to the productnames: Comodo SSL is now called Sectigo SSL. For instance, a Comodo PositiveSSL certificate is now Sectigo PositiveSSL. The trustlogos have changed, the root structure changes on January 14, 2019. The product portfolio and the pricing will remain the same.
What is the impact for website visitors and end-users?
- Website visitors value Comodo as a well-known and trusted brand. In order to maintain this trust and to enable a smooth transition, a combined logo will be available for use up to November 1st, 2019.
- For Comodo certificate owners the impact will be small, all Comodo certificates will continue to work. The root structure does change, but in a way that no adjustments or new installations are needed. All certificates will still be trusted by browsers and applications.
- Trustlogo's wil need an update, by using this instruction.
What is the impact for resellers?
Comodo resellers will have to make some adjustments in their communication. Do yo offer Comodo certifcates on your website, or in quotes? Then things like name and logo will have to be adjusted. A styleguide and logo material are available. To avoid confusion, customers will have to be informed. We will contact our resellers about this subject separately.
Why this change?
Last year Comodo's certificate division was acquired by Fransisco partners. Since then, the certificate division is called Comodo CA (Certficiation Authority), while the original Comodo continued as Comodo Cyber Security in offering cyber security services like cWatch. The fact that both organisations operate in the same market caused too much confusion for the public. Sectigo, with the tagline 'Secure today - seize your tomorrow' will focus on 'security on the go', by offering a complete platform for all products, instead of just offering SSL certificates and digital signatures. Recently they launched their IoT PKI Manager.
What is the impact?
- Already issued certificates and the Comodo intermediates remain trusted worldwide until their expiry date, there's no action needed. The new root structure will be used from January 14 2019 for all new certificate requests and renewals. The old structure will be used for certificate reissues. Note: There are some exceptions with old systems, see the next paragraphs.
- Using the old intermediates for certificates issued after January 14 will cause errors in browsers.
- Like always, we send you the correct root - and intermediate certificates on certificate delivery. You can also download them in the Control Panel. From January 14, the new intermediates will be provided automatically, also when using the Xolphin API. Do you deliver intermediate certificates in a different way? Please make sure you provide the right intermediates from January 14.
- Due to the phasing out of the legacy Addtrust External A Root by 2020, we'll provide you the newer and shorter USERTrust root.
- With the SSLCheck you can easily check if the correct intermediate certificates are being used.
Changes in root structure
From January 14 2019, Sectigo certificates are issued from a different root certificate and new intermediate certificates. In order to make a full transition to the new Sectigo brand, the Comodo Root CA will be replaced by the USERTrust Root CA. This root has been around since 2010, and because it is cross signed by the current AddTrust Root has a browser support similar to that of the Comodo Root CA.
What is this root structure? Each operating system or browser has a trusted root store that contains root certificates which are trusted by default. All digital certificates issued from those roots will therefore be trusted too. Root certificates do not sign end-user certificates directly. To minimize risks a root certificate signs several intermediate certificates, usually per certificate type. For example, all Sectigo code signing certificates are signed by a code signing intermediate.
All certificates won't show the Comodo brand name anymore. For example the current intermediate for the Comodo PositiveSSL, the 'COMODO RSA Domain Validation SecureServer CA', will be replaced by the 'Sectigo RSA Domain Validation Secure Server CA'. Already issued certificates remain trusted worldwide until their expiry date, there's no action needed. The new root structure will be used from January 14, 2019 for all new certificate requests and renewals. The old structure will be used for certificate reissues. Like always, we send you the correct root - and intermediate certificates on certificate delivery. You can also download them.
Not supported old systems
The RSA USERTrust CA is not supported by certain old systems, like MacOS 10.11 devices and lower, and some older Android devices. In this case an error will be shown to website visitors. How can you fix this? The easiest and best way is updating your systems. Next to this, there is a temporary solution that works until early 2020: using a cross signed intermediate certificate
What were and will be the logo's?
The image below left shows the Comodo CA logo that was used last year, after the acquisition by Fransisco partners. Before the acquisition, the red logo on the right was used. By now, both logo's are out of date.
The first image below shows the logo that can be used up to November 1st, 2019. The second image is the definitive logo. Check and download the new images here.