Sectigo Root Certificates

Sectigo Root Certificates

Currently Sectigo operate 4 ‘modern’ root certificates:

  1. USERTrust RSA Certification Authority - https://crt.sh/?id=1199354

  2. USERTrust ECC Certification Authority - https://crt.sh/?id=2841410

  3. COMODO RSA Certification Authority - https://crt.sh/?id=1720081

  4. COMODO ECC Certification Authority - https://crt.sh/?id=2835394

(Each certificate can be viewed and downloaded from the crt.sh link)

These root certificates were added into the following platforms:


Apple:

  • macOS Sierra 10.12.1 Public Beta 2

  • iOS 10

Microsoft:

  • Windows XP (via Automatic Root Update; Note: ECC wasn't supported by Windows until Vista)

  • Windows Phone 7

Mozilla:

  • Firefox 3.0.4 (COMODO ECC Certification Authority)

  • Firefox 36 (the other 3 roots)

Google:

  • Android 2.3 (COMODO ECC Certification Authority)

  • Android 5.1 (the other 3 roots)

Oracle:

  • Java JRE 8u51

Opera:

  • [Browser release in December 2012]

360 Browser:

  • SE 10.1.1550.0 and Extreme browser 11.0.2031.0


Additionally, each of the 4 modern roots have been cross-signed by an older Sectigo root certificate:


This cross-certification provides additional backward-compatibility for legacy versions of software:

  • Apple iOS 3.

  • Apple macOS 10.4.

  • Google Android 2.3.

  • Mozilla Firefox 1.

  • Oracle Java JRE 1.5.0_08.


The cross-certificates for each of the four modern roots, signed by AAA Certificate Services can be found here:

FAQs

What is cross-signing?

  • A root certificate is a self-signed certificate that has been included in a trust store by a software or OS vendor, so that users and clients of that product automatically trust the root certificate.

  • CAs often control multiple root certificates, and generally the older the root the more widely distributed it is on older platforms.

  • To take advantage of this and ensure compatibility across as many platforms, CAs generate cross certificates to ensure that their certificates are as widely supported as possible.

  • A cross certificate is where one root certificate is used to sign another.

  • The cross certificate uses the same public key and Subject DN (Distinguished Name) as the root being signed.

  • Browsers and clients will chain back to the “best” root certificate they trust.


When do the root certificates expire?

  • The AAA Certificate Services root expires in 2028, but will be retired before that date.

  • The requirement to use the cross-signing for legacy compatibility is diminishing all the time, as most modern, up-to-date software already has the modern roots embedded in the trust store.

  • The other modern roots expire in 2038.


Are new root certificates being added?

  • Yes. Sectigo have issued new root certificates (as of early 2022) and are working with the software vendors to have them included in trust stores.

  • They will also be cross-signed by the older roots to ensure full compatibility when they are deployed into use.

  • The new roots are in-use today for some codesigning certificates.