{"id":11685,"date":"2020-03-11T07:28:05","date_gmt":"2020-03-11T07:28:05","guid":{"rendered":"https:\/\/nieuw.wpprovider.nl\/phasing-out-addtrust-external-ca-root-certificate\/"},"modified":"2024-08-13T20:27:37","modified_gmt":"2024-08-13T20:27:37","slug":"phasing-out-addtrust-external-ca-root-certificate","status":"publish","type":"post","link":"https:\/\/nieuw.wpprovider.nl\/en\/phasing-out-addtrust-external-ca-root-certificate\/","title":{"rendered":"Phasing out Addtrust External CA root certificate"},"content":{"rendered":"\n

On May 30, 2020, the widely used Sectigo (Comodo) Root certificate, called the AddTrust External CA Root, will expire.\nThis certificate has been active since May 30, 2000 and has been widely supported since its launch.\nThe successor to this root certificate is called the Comodo RSA Certification Authority Root and will expire in 2038.\nThis article explains how the root certificate phase-out works and why no additional actions are required on the server side. <\/p>\n\n

Chain of Trust<\/h2>\n\n

Each SSL certificate<\/a> is issued under a root certificate.\nRoot certificates are self-signed certificates that are verified by a CA such as Sectigo and included in a browser’s trusted root store.\nThis is important for SSL certificate support: when more browsers trust a root certificate, the SSL certificates issued under this root certificate will be more widely trusted. <\/p>\n\n

Between a root certificate and an SSL certificate are one or more intermediate certificates.\nTogether they provide a complete chain (“chain of trust”) of the root certificate.\nBy using intermediate certificates, the root certificate itself does not have to sign a certificate.\nIn this way, the root certificate can remain offline, making it less vulnerable to misuse.\nIntermediate certificates can be considered signposts to the root certificate.\nAn SSL certificate is signed by an intermediary and the intermediary by the root certificate.\nFailure to install it can, in some cases, lead to errors when visiting the page on which the certificate is active. <\/p>\n\n

Cross-signing<\/h2>\n\n

Building good compatibility of a new root takes time.\nThis is why Sectigo SSL certificates are cross-signed under two different root certificates, the previously discussed Addtrust External CA root with a validity until May 2020 and the relatively new – and because of this less widely supported – Comodo RSA Certification Authority root certificate valid until May 2038. <\/p>\n\n

In addition, the Comodo RSA Certification Authority has issued another intermediate certificate.\nThe name of this interim product depends on the signed SSL certificate below it.\nFor example, the name of the intermediary that signs EV certificates is the COMODO RSA EV Secure Server CA .\nThe latter intermediate product is signed by both the Comodo RSA Certification authority intermediate certificate and the eponymous main certificate of the same name, also known as cross-signing.\nBecause of the cross-signing technique, two valid root certificates are known and can both be used. <\/p>\n\n

Can the Sectigo (Comodo) certificate still be trusted?<\/h2>\n\n

Because of the compatibility and widespread browser support of the Addtrust External CA root certificate, this root certificate is still offered.\nWhen it expires and a customer already has the Comodo RSA Certification Authority root in their trusted root, it will be used automatically.\nAs a result, installing the old root from May 30, 2020 will not cause any problems.\nYou will see that newer customers who are familiar with the Comodo RSA Certification Authority root are already using it.\nNowadays, certificates are issued with a maximum validity of two years.\nThis allows the certificate to have a longer validity period than the root certificate you are using.\nBy using the cross-singing technique, this does not cause any problems. <\/p>\n\n

Some visitors still use legacy devices.\nTherefore, we at WP Provider<\/a> recommend using the old chain.\nAs of May 30, 2020, legacy devices that do not have the new root in the trusted root will unfortunately give an error. <\/p>\n\n

Note: A Windows Server automatically provides the shortest chain.\nIt is possible to disable the new root certificate until the Addtrust External CA root certificate expires. <\/p>\n\n

The list below shows all minimal versions of software that will not have problems.\nAll browsers and operating systems older than the versions below do not contain new root certificates and may give errors. <\/p>\n\n

Apple:<\/p>\n\n

macOS Sierra 10.12.1 Public Beta 2iOS 10Windows XPWindows PhoneMozilla:<\/p>\n\n

Firefox 3.0.4Firefox 36Google:<\/p>\n\n

Android 2.3Android 5.1Oracle:<\/p>\n\n

Java JRE 8u51Opera:<\/p>\n\n

Browser releases after December 2012360 Browser:<\/p>\n\n

SE 10.1.1550.0 and Extreme browser 11.0.2031.0This test environment allows you to check if your installation is causing problems.\nTo do this, you need to adjust the clock to a date after June 1, 2020. <\/p>\n\n

Overlap in naming and expiration dates<\/h3>\n\n

Under the old ‘Addtrust External CA’ root is the ‘Comodo RSA Certification Authority’ intermediate.\nThe ‘root’ and ‘intermediate’ both expire on May 30, 2020.\nIn addition, the expiring certificate has the same name as the new Comodo RSA Certification Authority root certificate. <\/p>\n\n

Thumbprints<\/h3>\n\n

Each certificate has its own unique thumbprint.\nOf the above certificates, these are: <\/p>\n\n

Addtrust External CA Root<\/strong> root certificate:<\/strong><\/p>\n\n

02faf3e291435468607857694df5e45b68851868<\/p>\n\n

Comodo RSA Certification Authority<\/strong> intermediate certificate:<\/strong><\/p>\n\n

f5ad0bcc1ad56cd150725b1c866c30ad92ef21b0<\/p>\n\n

Comodo RSA Certification Authority<\/strong> root certificate:<\/strong><\/p>\n\n

afe5d244a8d1194230ff479fe2f897bbcd7a8cb4<\/p>\n\n

This way you can verify with certainty which certificate is present on the server.<\/p>\n","protected":false},"excerpt":{"rendered":"

On May 30, 2020, the widely used Sectigo (Comodo) Root certificate, called the AddTrust External CA Root, will expire. This certificate has been active since May 30, 2000 and has been widely supported since its launch. The successor to this root certificate is called the Comodo RSA Certification Authority Root and will expire in 2038. […]<\/p>\n","protected":false},"author":1,"featured_media":10813,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"footnotes":""},"categories":[12],"tags":[],"class_list":["post-11685","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-geen-onderdeel-van-een-categorie"],"acf":[],"_links":{"self":[{"href":"https:\/\/nieuw.wpprovider.nl\/en\/wp-json\/wp\/v2\/posts\/11685","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nieuw.wpprovider.nl\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nieuw.wpprovider.nl\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nieuw.wpprovider.nl\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/nieuw.wpprovider.nl\/en\/wp-json\/wp\/v2\/comments?post=11685"}],"version-history":[{"count":1,"href":"https:\/\/nieuw.wpprovider.nl\/en\/wp-json\/wp\/v2\/posts\/11685\/revisions"}],"predecessor-version":[{"id":11686,"href":"https:\/\/nieuw.wpprovider.nl\/en\/wp-json\/wp\/v2\/posts\/11685\/revisions\/11686"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/nieuw.wpprovider.nl\/en\/wp-json\/wp\/v2\/media\/10813"}],"wp:attachment":[{"href":"https:\/\/nieuw.wpprovider.nl\/en\/wp-json\/wp\/v2\/media?parent=11685"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nieuw.wpprovider.nl\/en\/wp-json\/wp\/v2\/categories?post=11685"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nieuw.wpprovider.nl\/en\/wp-json\/wp\/v2\/tags?post=11685"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}