Sectigo Root Certificates

Currently Sectigo operate 4 ‘modern’ root certificates:

1. USERTrust RSA Certification Authority - https://crt.sh/?id=1199354

2. USERTrust ECC Certification Authority - https://crt.sh/?id=2841410

3. COMODO RSA Certification Authority - https://crt.sh/?id=1720081

4. COMODO ECC Certification Authority - https://crt.sh/?id=2835394

(Each certificate can be viewed and downloaded from the crt.sh link)

These root certificates were added into the following platforms:

Apple:

• macOS Sierra 10.12.1 Public Beta 2

• iOS 10

Microsoft:

• Windows XP (via Automatic Root Update; Note: ECC wasn't supported by Windows until Vista)

• Windows Phone 7

Mozilla:

• Firefox 3.0.4 (COMODO ECC Certification Authority)

• Firefox 36 (the other 3 roots)

Google:

• Android 2.3 (COMODO ECC Certification Authority)

• Android 5.1 (the other 3 roots)

Oracle:

• Java JRE 8u51

Opera:

• [Browser release in December 2012]

360 Browser:

• SE 10.1.1550.0 and Extreme browser 11.0.2031.0

Additionally, each of the 4 modern roots have been cross-signed by an older Sectigo root certificate:

• AAA Certificate Services -https://crt.sh/?id=331986

This cross-certification provides additional backward-compatibility for legacy versions of software:

• Apple iOS 3.

• Apple macOS 10.4.

• Google Android 2.3.

• Mozilla Firefox 1.

• Oracle Java JRE 1.5.0_08.

The cross-certificates for each of the four modern roots, signed by AAA Certificate Services can be found here:

• AAA Certificate Services - USERTrust RSA Certification Authority - https://crt.sh/?id=1282303295

• AAA Certificate Services - USERTrust ECC Certification Authority - https://crt.sh/?id=1282303296

• AAA Certificate Services - COMODO RSA Certification Authority - https://crt.sh/?id=2545965608

• AAA Certificate Services - COMODO ECC Certification Authority - https://crt.sh/?id=2545966120

FAQs

What is cross-signing?

• A root certificate is a self-signed certificate that has been included in a trust store by a software or OS vendor, so that users and clients of that product automatically trust the root certificate.

• CAs often control multiple root certificates, and generally the older the root the more widely distributed it is on older platforms.

• To take advantage of this and ensure compatibility across as many platforms, CAs generate cross certificates to ensure that their certificates are as widely supported as possible.

• A cross certificate is where one root certificate is used to sign another.

• The cross certificate uses the same public key and Subject DN (Distinguished Name) as the root being signed.

• Browsers and clients will chain back to the “best” root certificate they trust.

When do the root certificates expire?

• The AAA Certificate Services root expires in 2028, but will be retired before that date.

• The requirement to use the cross-signing for legacy compatibility is diminishing all the time, as most modern, up-to-date software already has the modern roots embedded in the trust store.

• The other modern roots expire in 2038.

Are new root certificates being added?

• Yes. Sectigo have issued new root certificates (as of early 2022) and are working with the software vendors to have them included in trust stores.

• They will also be cross-signed by the older roots to ensure full compatibility when they are deployed into use.

• The new roots are in-use today for some codesigning certificates.