FAQ

No. No certificates that were validated based on WHOIS emails will be revoked.

However, after June 15^th 2025, no more certificates can be issued based on WHOIS email validation, so you will need to re-validate your domain(s) using accepted methods.

If you have any existing domain validations affected, you will need to re-verify them using alternative DCV methods.

If you do not do so, no certificates will be issued for those name(s) until a new domain validations is completed using an accepted method, after the affective date.

Email, DNS and HTTP methods are still available.

Email validation is still accepted using 'constructed' email addresses - admin@, administrator@, hostmaster@, postmaster@ and webmaster@ yourdomain.com.

Sectigo is updating and enhancing its Root CA certificates to align with new security policies and industry standards. This involves migrating to new Public Root CAs and discontinuing trust for certain older Sectigo Root CAs.

Effective May 15th, 2025, Sectigo will be migrating to new Public Root and Subordinate certificates for Organization Validation (OV) SSL/TLS, which are widely used within the Western community.

Existing Certificates: Your current certificates will remain valid until they expire.

New Certificates: After May 15, all newly issued certificates will come with the new Public Root and Subordinate (Inermediate) CA certificates.

Browser Trust:

• Certificates issued by Subordinate CAs directly under the "AAA Certificate Services" Root CA will no longer be trusted in new releases of Firefox, NSS, and Chrome after April 15, 2025.

• If you rely on the “AAA Certificate Services” Root CA for legacy browsers (released prior to April 15, 2025), or use a certificate chain cross-signed by the “AAA Certificate Services” Root CA to support legacy platforms, this change will not have an impact. 

CAs often control multiple root certificates, and generally the older the root the more widely distributed it is on older platforms. In order to take advantage of this fact, CAs generate cross certificates to ensure that their certificates are as widely supported as possible. A cross certificate is where one root certificate is used to sign another.

The cross certificate uses the same public key and Subject as the root being signed. Sectigo's new Root CAs have been cross-signed by both of their long standing Root CAs to extend the ubiquity of the new Root CAs, so they are also trusted on legacy systems that may not know about these new CA certificates.

• AAA Certificate Services
• USERTrust RSA Certification Authority (For RSA)

• Update Used Certificates:If you have hard-coded specific Root CAs and/or Subordinate (Intermediate) CAs within your application or service , please ensure these are updated to install the appropriate CA certificates after the migration.
• Update Your Systems:Review your certificate profiles and certificate stores to ensure everything is ready to accept certificates from the new Sectigo Public Roots.
• If you are using ACME (Automated Certificate Management Environment): The automation will handle the change as after May 15th 2025, the new Root and Intermediates will be automatically installed on the servers, so no impact.

• Download from the PKI site: You can find the download links in this page.
• Download from Sectigo Manager: As a delegated admin, when creating or renewing certificates after May 15, 2025, you should be able to view and download the new Sectigo Root and Subordinate CAs from Sectigo Certificate Manager (SCM).

Sectigo has more information about the change, you can find it:

• Sectigo Pulbic Root CA Migration
• Enhancements to Root CA and Hierarchies 

If you have any questions, you can also reach out to WTS Helpdesk.