FAQ

WHOIS Email DCV Deprecation

Recent vulnerabilities in the domain name WHOIS system have highlighted the WHOIS-based domain-validation method as a weakness in the process of validating publicly-trusted digital certificates.

A ballot is expected to pass in the CA/Browser Forum (CABF) requiring that WHOIS-listed email addresses are no longer acceptable for domain validation, nor can historic domain validations based on WHOIS email addresses be reused.

As a result, Sectigo and all other public Certificate Authorities will be required to:

  • No longer allow WHOIS-based email addresses for domain validation.
  • No longer allow certificates to be issued based on a WHOIS email address validation. Domains must be re-validated using an accepted, non-WHOIS method.

No. No certificates that were validated based on WHOIS emails will be revoked.

However, after June 15th 2025, no more certificates can be issued based on WHOIS email validation, so you will need to re-validate your domain(s) using accepted methods.

If you have any existing domain validations affected, you will need to re-verify them using alternative DCV methods.

If you do not do so, no certificates will be issued for those name(s) until a new domain validations is completed using an accepted method, after the affective date.

Email, DNS and HTTP methods are still available.

Email validation is still accepted using 'constructed' email addresses - admin@, administrator@, hostmaster@, postmaster@ and webmaster@ yourdomain.com.


Sectigo Root CA Change - May 15, 2025

Sectigo is updating and enhancing its Root CA certificates to align with new security policies and industry standards. This involves migrating to new Public Root CAs and discontinuing trust for certain older Sectigo Root CAs.

Effective May 15th, 2025, Sectigo will be migrating to new Public Root and Subordinate certificates for Organization Validation (OV) SSL/TLS, which are widely used within the Western community.

The change is driven by policy adjustments from major browsers like Mozilla and Chrome, which limit the usability period of Root CA certificates to a maximum of 15 years after the private key was generated. This helps improve security and agility.

Existing Certificates: Your current certificates will remain valid until they expire.

New Certificates: After May 15, all newly issued certificates will come with the new Public Root and Subordinate (Inermediate) CA certificates.

Browser Trust:

  • Certificates issued by Subordinate CAs directly under the "AAA Certificate Services" Root CA will no longer be trusted in new releases of Firefox, NSS, and Chrome after April 15, 2025.

  • If you rely on the “AAA Certificate Services” Root CA for legacy browsers (released prior to April 15, 2025), or use a certificate chain cross-signed by the “AAA Certificate Services” Root CA to support legacy platforms, this change will not have an impact. 

CAs often control multiple root certificates, and generally the older the root the more widely distributed it is on older platforms. In order to take advantage of this fact, CAs generate cross certificates to ensure that their certificates are as widely supported as possible. A cross certificate is where one root certificate is used to sign another.

The cross certificate uses the same public key and Subject as the root being signed. Sectigo's new Root CAs have been cross-signed by both of their long standing Root CAs to extend the ubiquity of the new Root CAs, so they are also trusted on legacy systems that may not know about these new CA certificates.

  • AAA Certificate Services
  • USERTrust RSA Certification Authority (For RSA)

cross signing chain

  • Update Used Certificates:If you have hard-coded specific Root CAs and/or Subordinate (Intermediate) CAs within your application or service , please ensure these are updated to install the appropriate CA certificates after the migration.
  • Update Your Systems:Review your certificate profiles and certificate stores to ensure everything is ready to accept certificates from the new Sectigo Public Roots.
  • If you are using ACME (Automated Certificate Management Environment): The automation will handle the change as after May 15th 2025, the new Root and Intermediates will be automatically installed on the servers, so no impact.
There are multiple ways to download the new certificates:
  • Download from the PKI site: You can find the download links in this page.
  • Download from Sectigo Manager: As a delegated admin, when creating or renewing certificates after May 15, 2025, you should be able to view and download the new Sectigo Root and Subordinate CAs from Sectigo Certificate Manager (SCM).

Sectigo has more information about the change, you can find it:

If you have any questions, you can also reach out to WTS Helpdesk.


Published on  and maintained in Cascade.