Sectigo Root Certificates
Currently Sectigo operate 4 ‘modern’ root certificates:
USERTrust RSA Certification Authority - https://crt.sh/?id=1199354
USERTrust ECC Certification Authority - https://crt.sh/?id=2841410
COMODO RSA Certification Authority - https://crt.sh/?id=1720081
COMODO ECC Certification Authority - https://crt.sh/?id=2835394
(Each certificate can be viewed and downloaded from the crt.sh link)
These root certificates were added into the following platforms:
macOS Sierra 10.12.1 Public Beta 2
Windows XP (via Automatic Root Update; Note: ECC wasn't supported by Windows until Vista)
Windows Phone 7
Firefox 3.0.4 (COMODO ECC Certification Authority)
Firefox 36 (the other 3 roots)
Android 2.3 (COMODO ECC Certification Authority)
Android 5.1 (the other 3 roots)
Java JRE 8u51
[Browser release in December 2012]
SE 10.1.1550.0 and Extreme browser 11.0.2031.0
Additionally, each of the 4 modern roots have been cross-signed by an older Sectigo root certificate:
AAA Certificate Services -https://crt.sh/?id=331986
This cross-certification provides additional backward-compatibility for legacy versions of software:
Apple iOS 3.
Apple macOS 10.4.
Google Android 2.3.
Mozilla Firefox 1.
Oracle Java JRE 1.5.0_08.
The cross-certificates for each of the four modern roots, signed by AAA Certificate Services can be found here:
AAA Certificate Services - USERTrust RSA Certification Authority - https://crt.sh/?id=1282303295
AAA Certificate Services - USERTrust ECC Certification Authority - https://crt.sh/?id=1282303296
AAA Certificate Services - COMODO RSA Certification Authority - https://crt.sh/?id=2545965608
AAA Certificate Services - COMODO ECC Certification Authority - https://crt.sh/?id=2545966120
What is cross-signing?
A root certificate is a self-signed certificate that has been included in a trust store by a software or OS vendor, so that users and clients of that product automatically trust the root certificate.
CAs often control multiple root certificates, and generally the older the root the more widely distributed it is on older platforms.
To take advantage of this and ensure compatibility across as many platforms, CAs generate cross certificates to ensure that their certificates are as widely supported as possible.
A cross certificate is where one root certificate is used to sign another.
The cross certificate uses the same public key and Subject DN (Distinguished Name) as the root being signed.
Browsers and clients will chain back to the “best” root certificate they trust.
When do the root certificates expire?
The AAA Certificate Services root expires in 2028, but will be retired before that date.
The requirement to use the cross-signing for legacy compatibility is diminishing all the time, as most modern, up-to-date software already has the modern roots embedded in the trust store.
The other modern roots expire in 2038.
Are new root certificates being added?
Yes. Sectigo have issued new root certificates (as of early 2022) and are working with the software vendors to have them included in trust stores.
They will also be cross-signed by the older roots to ensure full compatibility when they are deployed into use.
The new roots are in-use today for some codesigning certificates.