On May 30, 2020, the widely used Sectigo (Comodo) Root certificate, called the AddTrust External CA Root, will expire. This certificate has been active since May 30, 2000 and has been widely supported since its launch. The successor to this root certificate is called the Comodo RSA Certification Authority Root and will expire in 2038. This article explains how the root certificate phase-out works and why no additional actions are required on the server side.
Chain of Trust
Each SSL certificate is issued under a root certificate. Root certificates are self-signed certificates that are verified by a CA such as Sectigo and included in a browser’s trusted root store. This is important for SSL certificate support: when more browsers trust a root certificate, the SSL certificates issued under this root certificate will be more widely trusted.
Between a root certificate and an SSL certificate are one or more intermediate certificates. Together they provide a complete chain (“chain of trust”) of the root certificate. By using intermediate certificates, the root certificate itself does not have to sign a certificate. In this way, the root certificate can remain offline, making it less vulnerable to misuse. Intermediate certificates can be considered signposts to the root certificate. An SSL certificate is signed by an intermediary and the intermediary by the root certificate. Failure to install it can, in some cases, lead to errors when visiting the page on which the certificate is active.
Cross-signing
Building good compatibility of a new root takes time. This is why Sectigo SSL certificates are cross-signed under two different root certificates, the previously discussed Addtrust External CA root with a validity until May 2020 and the relatively new – and because of this less widely supported – Comodo RSA Certification Authority root certificate valid until May 2038.
In addition, the Comodo RSA Certification Authority has issued another intermediate certificate. The name of this interim product depends on the signed SSL certificate below it. For example, the name of the intermediary that signs EV certificates is the COMODO RSA EV Secure Server CA . The latter intermediate product is signed by both the Comodo RSA Certification authority intermediate certificate and the eponymous main certificate of the same name, also known as cross-signing. Because of the cross-signing technique, two valid root certificates are known and can both be used.
Can the Sectigo (Comodo) certificate still be trusted?
Because of the compatibility and widespread browser support of the Addtrust External CA root certificate, this root certificate is still offered. When it expires and a customer already has the Comodo RSA Certification Authority root in their trusted root, it will be used automatically. As a result, installing the old root from May 30, 2020 will not cause any problems. You will see that newer customers who are familiar with the Comodo RSA Certification Authority root are already using it. Nowadays, certificates are issued with a maximum validity of two years. This allows the certificate to have a longer validity period than the root certificate you are using. By using the cross-singing technique, this does not cause any problems.
Some visitors still use legacy devices. Therefore, we at WP Provider recommend using the old chain. As of May 30, 2020, legacy devices that do not have the new root in the trusted root will unfortunately give an error.
Note: A Windows Server automatically provides the shortest chain. It is possible to disable the new root certificate until the Addtrust External CA root certificate expires.
The list below shows all minimal versions of software that will not have problems. All browsers and operating systems older than the versions below do not contain new root certificates and may give errors.
Apple:
macOS Sierra 10.12.1 Public Beta 2
iOS 10
Windows XP
Windows Phone
Mozilla:
Firefox 3.0.4
Firefox 36
Google:
Android 2.3
Android 5.1
Oracle:
Java JRE 8u51
Opera:
Browser releases after December 2012
360 Browser:
SE 10.1.1550.0 and Extreme browser 11.0.2031.0
This test environment allows you to check if your installation is causing problems.
To do this, you need to adjust the clock to a date after June 1, 2020.
Overlap in naming and expiration dates
Under the old ‘Addtrust External CA’ root is the ‘Comodo RSA Certification Authority’ intermediate. The ‘root’ and ‘intermediate’ both expire on May 30, 2020. In addition, the expiring certificate has the same name as the new Comodo RSA Certification Authority root certificate.
Thumbprints
Each certificate has its own unique thumbprint. Of the above certificates, these are:
Addtrust External CA Root root certificate:
02faf3e291435468607857694df5e45b68851868
Comodo RSA Certification Authority intermediate certificate:
f5ad0bcc1ad56cd150725b1c866c30ad92ef21b0
Comodo RSA Certification Authority root certificate:
afe5d244a8d1194230ff479fe2f897bbcd7a8cb4
This way you can verify with certainty which certificate is present on the server.
