FAQ

Sectigo Root CA Change - May 15, 2025

Sectigo is updating and enhancing its Root CA certificates to align with new security policies and industry standards. This involves migrating to new Public Root CAs and discontinuing trust for certain older Sectigo Root CAs.

Effective May 15th, 2025, Sectigo will be migrating to new Public Root and Subordinate certificates for Organization Validation (OV) SSL/TLS, which are widely used within the Western community.

The change is driven by policy adjustments from major browsers like Mozilla and Chrome, which limit the usability period of Root CA certificates to a maximum of 15 years after the private key was generated. This helps improve security and agility.

Existing Certificates: Your current certificates will remain valid until they expire.

New Certificates: After May 15, all newly issued certificates will come with the new Public Root and Subordinate (Inermediate) CA certificates.

Browser Trust:

  • Certificates issued by Subordinate CAs directly under the "AAA Certificate Services" Root CA will no longer be trusted in new releases of Firefox, NSS, and Chrome after April 15, 2025.

  • If you rely on the “AAA Certificate Services” Root CA for legacy browsers (released prior to April 15, 2025), or use a certificate chain cross-signed by the “AAA Certificate Services” Root CA to support legacy platforms, this change will not have an impact. 

CAs often control multiple root certificates, and generally the older the root the more widely distributed it is on older platforms. In order to take advantage of this fact, CAs generate cross certificates to ensure that their certificates are as widely supported as possible. A cross certificate is where one root certificate is used to sign another.

The cross certificate uses the same public key and Subject as the root being signed. Sectigo's new Root CAs have been cross-signed by both of their long standing Root CAs to extend the ubiquity of the new Root CAs, so they are also trusted on legacy systems that may not know about these new CA certificates.

  • AAA Certificate Services
  • USERTrust RSA Certification Authority (For RSA)

cross signing chain

  • Update Used Certificates:If you have hard-coded specific Root CAs and/or Subordinate (Intermediate) CAs within your application or service , please ensure these are updated to install the appropriate CA certificates after the migration.
  • Update Your Systems:Review your certificate profiles and certificate stores to ensure everything is ready to accept certificates from the new Sectigo Public Roots.
  • If you are using ACME (Automated Certificate Management Environment): The automation will handle the change as after May 15th 2025, the new Root and Intermediates will be automatically installed on the servers, so no impact.
There are multiple ways to download the new certificates:
  • Download from the PKI site: You can find the download links in this page.
  • Download from Sectigo Manager: As a delegated admin, when creating or renewing certificates after May 15, 2025, you should be able to view and download the new Sectigo Root and Subordinate CAs from Sectigo Certificate Manager (SCM).

Sectigo has more information about the change, you can find it:

If you have any questions, you can also reach out to WTS Helpdesk.


Published on  and maintained in Cascade.