Phasing out Addtrust External CA Root certificate

On May 30, 2020 the commonly used Sectigo (Comodo) Root certificate, named the AddTrust External CA Root, will expire. This certificate is active since May 30, 2000 and since it's launch widely supported. The successor of this root certificate is named the Comodo RSA Certification authority Root, and wil expire in 2038. This article explains how the phasing out of the root certificate works and why no extra actions are required on the server side.

Chain of trust

Every SSL certificate is issued under a root certificate. Root certificates are self-signed certificates controlled by a CA like Sectigo and are included in the trusted root store of a browser. This is important for the support of the SSL certificates: when more browsers trust a root Certificate, the SSL certificates issued under this root certificate will be more widely trusted.

Between a root certificate and an SSL certificate one or more intermediate certificates are present. Together they provide a complete chain ('chain of trust') to the root certificate. By using intermediate certificates, the root certificate itself doesn't need to sign a certificate. This way the root certificate can stay off-line, which makes it less vulnerable for abuse. Intermediate certificates can be considered as signage pointing to the root certificate. An SSL certificate is signed by an intermediate and the intermediate by the root certificate. Not installing them can in some cases lead to errors when visiting the page on which the certificate is active.

Cross-signing

To build up a good compatibility of a new root takes time. Therefore Sectigo SSL certificates are cross-signed under two different root certificates, the earlier discussed Addtrust External CA root with a validity till May 2020 en the relatively new - and because of this less widely supported - Comodo RSA Certification Authority root certificate valid until May 2038.

In addition to this, the Comodo RSA Certification authority intermediate issued another intermediate. The name of this intermediate depends on the signed SSL certificate underneath it. For example the name of the intermediate that signs EV certificates is the COMODO RSA EV Secure Server CA . This last intermediate is signed by both the Comodo RSA Certification authority intermediate certificate and by the equally named named root certificate, also called cross-signing. Because of the cross-signing technique two valid root certificates are known an both can be used.

Will my Sectigo (Comodo) certificate still be trusted?

Because of the compatibility and widespread browser support of the Addtrust External CA root certificate we still offer this root certificate. When it expires and a client already has the Comodo RSA Certification authority root present in it's trusted root, it will be used automatically. Because of this, installing the old root won't lead to any problems from May 30, 2020. You will see that newer clients familiar with the Comodo RSA Certification authority root, already use it. Nowadays certificates get issued with a maximum validity of two years. Because of this it's possible the certificate has a longer validity then the root certificate you are using. Because the use of the cross-singing technique this doesn't lead to issues.

Some visitors are still using legacy devices. Because of this we advice to use the old chain. From May 30, 2020, legacy devices that don't have the new root in the trusted root, unfortunately will give an error.

Note: A Windows Server automatically offers the shortest chain. It is possible to disable the new root certificate until the Addtrust External CA root certificate is expired.

The list below shows all minimum versions of software that will have no problems. All browsers and operating systems that are older than the versions below, do not contain de new root certificates and might give errors.

Apple:

  • macOS Sierra 10.12.1 Public Beta 2
  • iOS 10
  • Windows XP
  • Windows Phone

Mozilla:

  • Firefox 3.0.4
  • Firefox 36

Google:

  • Android 2.3
  • Android 5.1

Oracle:

  • Java JRE 8u51

Opera:

  • Browser releases after december 2012

360 Browser:

  • SE 10.1.1550.0 and Extreme browser 11.0.2031.0

With this test environment you can check if your setup will cause problems. For this you need to adjust the clock to a date after June 1, 2020.

Overlap in naming and expiration date

Under the old 'Addtrust External CA' root the 'Comodo RSA Certification authority' intermediate is present. The root and intermediate both expire on May 30, 2020. Next to this, the expiring certificate has the same name as the new Comodo RSA Certification authority root certificate.

Thumbprints

Each certificate has his own, unique thumbprint. From the previously discussed certificates these are:

Addtrust External CA Root root certificate:

02faf3e291435468607857694df5e45b68851868

Comodo RSA Certification Authority intermediate certificate:

f5ad0bcc1ad56cd150725b1c866c30ad92ef21b0

Comodo RSA Certification Authority root certificate:

afe5d244a8d1194230ff479fe2f897bbcd7a8cb4

This enables you to check with certainty which certificate is present on the server.

SSLCheck

Our SSLCheck will examine your website's root and intermediate certificates for correctness and report any potential issues

point up