On May 30, 2020, the widely used Sectigo (Comodo) Root certificate, called the AddTrust External CA Root, will expire. This certificate has been active since May 30, 2000, and has been widely supported since its launch. The successor to this root certificate is called the Comodo RSA Certification Authority Root and will expire in 2038. This article explains how phasing out the root certificate works and why no additional actions are needed on the server side.
Chain of Trust
Each SSL certificate is issued under a root certificate. Root certificates are self-signed certificates verified by a CA such as Sectigo and included in a browser’s trusted root store. This is important for SSL certificate support: when more browsers trust a root certificate, the SSL certificates issued under this root certificate will be more widely trusted.
Between a root certificate and an SSL certificate are one or more intermediate certificates. Together they provide a complete chain (“chain of trust”) of the root certificate. By using intermediate certificates, the root certificate itself does not need to sign a certificate. This allows the root certificate to remain offline, making it less vulnerable to misuse. Intermediate certificates can be considered signposts to the root certificate. An SSL certificate is signed by an intermediary and the intermediary by the root certificate. Not installing it may in some cases cause errors when visiting the page on which the certificate is active.
Building a good compatibility of a new root takes time. Therefore, Sectigo SSL certificates are cross-signed under two different root certificates, the previously discussed Addtrust External CA root with a validity until May 2020 and the relatively new – and because of this less widely supported – Comodo RSA Certification Authority root certificate valid until May 2038.
In addition, the Comodo RSA Certification Authority issued another interim certificate. The name of this intermediate depends on the signed SSL certificate below it. For example, the name of the intermediary that signs EV certificates is the COMODO RSA EV Secure Server CA . The latter intermediate product is signed by both the Comodo RSA Certification authority intermediate certificate and the eponymous main certificate of the same name, also known as cross-signing. Due to the cross-signing technique, two valid root certificates are known and both can be used.
Can the Sectigo (Comodo) certificate still be trusted?
Because of the compatibility and widespread browser support of the Addtrust External CA root certificate, this root certificate is still offered. When it expires and a customer already has the Comodo RSA Certification Authority root in their trusted root, it will be used automatically. As a result, installing the old root as of May 30, 2020 will no longer cause problems. You will find that newer customers who are familiar with the Comodo RSA Certification Authority root are already using it. Today, certificates are issued with a maximum validity of two years. As a result, the certificate may have a longer validity period than the root certificate you are using. By using the cross-singing technique, this does not lead to problems.
Some visitors still use legacy devices. Therefore, we recommend using the old chain. As of May 30, 2020, legacy devices that do not have the new root in the trusted root will unfortunately throw an error.
Note: A Windows Server automatically provides the shortest chain. It is possible to disable the new root certificate until the Addtrust External CA root certificate expires.
The list below shows all the minimal versions of software that will have no problems. All browsers and operating systems older than the versions below do not contain new root certificates and may give errors.
macOS Sierra 10.12.1 Public Beta 2
Java JRE 8h51
Browser releases after December 2012
SE 10.1.1550.0 and Extreme browser 11.0.2031.0
This test environment allows you to check if your installation is causing problems. To do this, adjust the clock to a date after June 1, 2020.
Overlap in naming and expiration dates
Under the old ‘Addtrust External CA’ root, the ‘Comodo RSA Certification Authority’ intermediary is present. ‘Root’ and ‘intermediate’ both expire on May 30, 2020. In addition, the expiring certificate has the same name as the new Comodo RSA Certification Authority root certificate.
Each certificate has its own unique thumbprint. Of the above certificates, these are:
Addtrust External CA Root root certificate:
Comodo RSA Certification Authority intermediate certificate:
Comodo RSA Certification Authority root certificate:
This way, you can verify with certainty which certificate is present on the server.