FAQ: Sectigo AddTrust External CA Root Expiring May 30, 2020

This article addresses the following questions:

  1. When will the Sectigo Certificate Manager (SCM) user interface have the correct Root and Intermediate?
  2. Why is Sectigo waiting so long to change their Root and Intermediate certificates in SCM?
  3. What do I receive with a certificate chain and when are they set to expire?
  4. Where can I find more information and resources about Sectigo’s CA Root expiring?
  5. My environments is FIPS compliant. However, UserTrust RSA shows a 4096-bit key. If I received Sectigo’s new AAA Root Certificate, would the chain work or fail?
  6. US Government Systems state that Root and Intermediate Certificates with a key length of 4098 do not work with current 2030 FIPS Standards. Can you make a chain that will be selectable in SCM?
  7. What will happen after the AddTrust External and cross-signed Intermediate UserTrust RSA expires?
  8. Will the Trust chain automatically link to the UserTrust RSA Root Exp: 2038?
  9. Will I need to manually delete AddTrust and cross-signed Intermediate UserTrust RSA from my environment for the chain to work with UserTrust RSA Root?
  10. When will Sectigo start sending .zip certificate issuance with UserTrust RSA Root Exp: 2038?
  11. When will Sectigo update SCM with the new UserTrust and Intermediate Certificates?
  12. Why does Sectigo use identical names for Intermediate and Root UserTrust RSA CA?
  13. When considering my legacy environments. What will happen when the AddTrust External and cross-signed Intermediate UserTrust RSA expire?



Question 1: When will the Sectigo Certificate Manager (SCM) user interface have the correct Root and Intermediate?

Example:

SectigoRSA Organization Validation Secure CA expires in 2030
Root: UserTrust RSA CA , expires in 2038


Answer: The root and intermediate are already 'correct'. Sectigo will be changing the default-provided-certificates in internal tools and SCM within the April 2020 timeframe. The change is to provide a cross-certificate to AAA Certificate Services, which will expire in 2028.

Note: USERTrust root is currently available in all modern trust stores and ca be downloaded from the following article. Sectigo AddTrust External CA Root Expiring May 30, 2020


Question 2: Why is Sectigo waiting so long to change their Root and Intermediate certificates in SCM?
Answer: We will stop providing certificates issued by AddTrust External CA Root leading up to the expiration date. However, up to May 30, 2020 they're still valid. AddTrust External CA Root is currently our most ubiquitous root and we intend to ensure that certificates we issue have the widest possible ubiquity. Providing the AddTrust cross-certificate by default achieves that.

Question 3: What do I receive with a certificate chain and when are they set to expire?
Answer: You will receive Root: AddTrust, expiring May 2020 and UserTrust Root, expiring 2038

Question 4: Where can I find more information and resources about Sectigo’s CA Root expiring?
Answer: Additional information, FAQs, links to the cross-certs and roots, and a list of versions for compatibility and test sites is available in the following article.
Sectigo AddTrust External CA Root Expiring May 30, 2020

Question 5: My environments is FIPS compliant and requires having a 2048-bit full chain key strength. However, UserTrust RSA shows a 4096-bit key. If I received Sectigo’s new AAA Root Certificate, would the chain work or fail?
Answer: A 4096-bit RSA key is 'stronger' than a 2048-bit RSA key. That won't constitute a failure. Also, FIPS is for certification of cryptographic modules and hardware, not the certificate and certificate chains.

Question 6: US Government Systems (CSOS, DEA systems) state that Root and Intermediate Certificates with a key length of 4098 do not work with current 2030 FIPS Standards. Can you make a chain that will be selectable in SCM?
Answer: As above. 4096-bit RSA keys are 'stronger' than 2048-bit keys. Our modern roots (USERTrust and COMODO) use 4096-bit keys, as do those of most other major CAs. We don't have an option that is weaker.

Question 7: What will happen after the AddTrust External and cross-signed Intermediate UserTrust RSA expires?
Answer: For any modern TLS client (browser, OS updated in the past few years) - nothing. Clients will chain back to the USERTrust root which expires in 2038, or in some cases the new cross-certificate to AAA Certificate Services expiring in 2028.


Question 8: Will the Trust chain automatically link to the UserTrust RSA Root Exp: 2038 ?
Answer: Yes. TLS clients will do this when they have the USERTrust root in their trust store. This means any software that is recent or updated in the past few years. The only problem areas are where there are clients or ecosystems which have artificially limited trust stores - i.e. where a customer has intentionally removed the modern roots from the store, or not updated the trust store - or they simply have software that is outdated, insecure and not updated.

Question 9: Will I need to manually delete AddTrust and cross-signed Intermediate UserTrust RSA from my environment for the chain to work with UserTrust RSA Root?
Answer: No, this is not necessary. When the AddTrust Root Certificate expires, the chain will automatically link and form Trust with UserTrust RSA Root.


Question 10: Sectigo provides the AddTrust External CA Root in a .zip file. However, UserTrust Root is missing.

When will Sectigo start sending .zip certificate issuance with UserTrust RSA Root Exp: 2038 ?

Answer: Sectigo will change this by default in April, however the USERTrust root is available for download from the KB article. It's also included in trust stores.

Question 11: Sectigo Certificate Manager UI still shows the AddTrust External CA and old Intermediate. When will Sectigo update SCM with the new UserTrust and Intermediate Certificates?
Answer: Sectigo will change this by default in April, however the USERTrust root is available for download from the KB article. It's also included in trust stores.

Question 12: Why does Sectigo use identical names for Intermediate and Root UserTrust RSA CA?
Answer: We don't. One is a 'root certificate' (self-signed and included in trust stores). The other is a cross-certificate (same public key and DN as the root but has an Issuer and Subject that differ). Additional detail can be found in the following article.
Sectigo AddTrust External CA Root Expiring May 30, 2020

Question 13: When considering my legacy environments. What will happen when the AddTrust External and cross-signed Intermediate UserTrust RSA expire?
Answer: We need to understand what you consider a 'legacy' environment. What roots does this environment have? If it has USERTrust RSA/ECC CA, COMODO RSA/ECC CA or the AAA Certificate Services root, then it can work.
If the trust store includes *only* AddTrust, then it will show warning messages unless it can be updated to include modern roots.