Upcoming AddTrust Root Expiration – What You Need to Know
Sectigo at present offers the ability to cross-sign certificates with the AddTrust legacy root to increase support among very old systems and devices. This root is due to expire at the end of May, 2020. Any applications or installations that depend on this cross-signed root must be updated by May, 2020 or run the risk of outage or displayed error message.
For the vast majority of use cases Sectigo’s standard root supplies the full required client support. For unusual cases, Sectigo offers a new cross signing option with its AAA root, which does not expire until 2028.
Read this article for a full explanation of cross signing, the AddTrust root expiration, and potential alternatives beyond that expiration date.
Please also consult our FAQ document for answers to you common questions.
What Is a Root Certificate?
Root certificates are self-signed certificates. This means the “Issuer” and ”Subject” are the same. A root certificate becomes a trusted root certificate (or trusted CA, or trust anchor) by virtue of being included by default in the trust store of a piece of software such as a browser or OS.
These trust stores are updated by the browser software or OS frequently, often as part of security updates, but on older outdated platforms they were often updated only as part of a full software update – such as Windows Service Packs or optional Windows Update releases.
Certificates for your site are issued from a “chain” of issuing or “intermediate” CA that completes a path back to these trusted root certificates.
It is important to note that security updates are of paramount importance today. There may be devices which do not have updates to include modern roots – but as a consequence also do not support standards required by the modern internet. A good example is Android. While Android 2.3 Gingerbread does not have the modern roots installed and relies on AddTrust, it also does not support TLS 1.2 or 1.3, and is unsupported and labelled obsolete by the vendor.
For more information view this article: Sectigo Chain Hierarchy and Intermediate Roots
What Is Cross-Signing?
CAs often control multiple root certificates, and generally the older the root the more widely distributed it is on older platforms. In order to take advantage of this fact, CAs generate cross certificates to ensure that their certificates are as widely supported as possible. A cross certificate is where one root certificate is used to sign another.
The cross certificate uses the same public key and Subject as the root being signed.
For example, a cross certificate could be:
Subject: COMODO RSA Certification Authority
Issuer: AddTrust External CA Root
Uses the same Subject and public key as the self-signed COMODO root certificate.
Browsers and clients will chain back to the “best” root certificate they trust.
AddTrust External CA Expiration
Sectigo controls a root certificate called the AddTrust External CA Root, which has been used to create cross-certificates to Sectigo’s modern root certificates, the COMODO RSA Certification Authority and USERTrust RSA Certification Authority (as well as the ECC versions of those roots). These roots don’t expire until 2038.
However, the AddTrust External CA Root expires on May 30th 2020.
After this date, clients and browsers will chain back to the modern roots that the older AddTrust was used to cross sign. No errors will be displayed on any updated, newer device or platform which has had updates
Certificate Chain Diagram
A legacy browser or older device that does not have the modern “USERTRust” root would not trust it and so would look further up the chain to a root it does trust, the AddTrust External CA Root. A more modern browser would have the USERTrust root already installed and trust itwithout needing to rely on the older AddTrust root.
What You Need to Do
For most use cases, including certificates serving modern client or server systems, no action is required, whether or not you have issued certificates cross-chained to the AddTrust root.
As of April 30, 2020: For business processes that depend on very old systems, Sectigo has made available (by default in the certificate bundles) a new legacy root for cross-signing, the “AAA Certificate Services” root. However, please use extreme caution about any process that depends on very old legacy systems. Systems that have not received the updates necessary to support newer roots such as Sectigo’s COMODO root will inevitably be missing other essential security updates and should be considered insecure. If you would still like to cross-sign to the AAA Certificate Services root, please contact Sectigo directly.
Will my certificate still be trusted after May 30, 2020?
Yes. All modern clients and operating systems have the newer, modern COMODO and USERTrust roots which don’t expire until 2038.
On platforms where the trust stores have been artificially limited or cannot be updated (embedded devices, for example), you will need to update and install the newer Sectigo roots. Please ensure these devices also have the necessary security updates from the vendor.
Do I need to reissue or reinstall my certificate?
No. Your certificate will remain trusted until it’s natural expiry date and does not need reissuance or reinstallation. You can choose to stop installing the cross-certificate on your servers if you wish. Should you need legacy compatibility after the AddTrust expiry we have a replacement cross-certificate that you can install on your servers in place of the AddTrust cross-certificate. See below for more details.
Can I test or check that I won’t see any errors?
Yes. If you have a certificate valid into June 2020 and beyond, you can set the clock on your system forward to June 1st 2020, and test the site.
Modern browsers will display no errors, and you can see that the certificate chains back to the COMODO or USERTrust root. (Note: some browsers such as Google Chrome, will detect that your clock is “wrong” and show a warning unrelated to the certificates as a result.)
Here is a test site you can use to evaluate your environment here
- These links provide a valid certificate issued from specific chains.
- They can be used to test what clients support which roots.
- You can also adjust your system clock into June 2020 to see how clients function after the expiry of the AddTrust root and cross-certificates.
The modern roots: COMODO RSA/ECC Certification Authority and USERTrust RSA/ECC Certification Authority:
*clicking the 'certificates' label on crt.sh links provides a download to the certificate file itself*
These roots were added to the following platforms since:
- macOS Sierra 10.12.1 Public Beta 2
- iOS 10
- Windows XP (via Automatic Root Update; note that ECC wasn't supported by Windows until Vista)
- Windows Phone 7
- Firefox 3.0.4 (COMODO ECC Certification Authority)
- Firefox 36 (the other 3 roots)
- Android 2.3 (COMODO ECC Certification Authority)
- Android 5.1 (the other 3 roots)
- [Browser release on December 2012]
- SE 10.1.1550.0 and Extreme browser 11.0.2031.0
The cross-certificates with AAA Certificate Services provide compatibility to older versions:
- Apple iOS 3.
- Apple macOS 10.4.
- Google Android 2.3.
- Mozilla Firefox 1.
- Oracle Java JRE 1.5.0_08.
AAA Certificate Services self-signed root [expiring 2028] - https://crt.sh/?id=331986
AAA Certificate Services - cross-certificates:
AAA Certificate Services - USERTrust RSA Certification Authority - https://crt.sh/?id=1282303295
AAA Certificate Services - USERTrust ECC Certification Authority - https://crt.sh/?id=1282303296
AAA Certificate Services - Comodo RSA Certification Authority - https://crt.sh/?id=2545965608
AAA Certificate Services - Comodo ECC Certification Authority - https://crt.sh/?id=2545966120
What if I have infrastructure or an application that only trusts AddTrust?
If a system or application only trusts the AddTrust External CA root and not the more modern Comodo or USERTrust roots – errors will occur after May 30th, 2020.
Precautionary measures and notes for legacy environments/devices:
You may need to update any such systems to include more modern roots if it’s possible to do so. If the platform doesn’t support modern algorithms (SHA-2, for example) then you will need to speak to that system vendor about updates.
Customers who have embedded AddTrust External CA Root into their applications or custom legacy devices may need to embed the new USERTrust RSA CA Root replacement before the May 2020 expiry date.
Sectigo has other, older, legacy roots apart from the AddTrust root, and we have generated cross-certificates from one in order to extend backward compatibility. The cross certificate is signed by the root called “AAA Certificate Services.” Please contact Support or your Account Manager for details.