Knowledge Base
Sectigo Root Certificates
Overview
This article helps you identify Sectigo's four modern root certificates, understand where they are trusted, and see how older platforms still trust them through cross-signing. It covers the four modern roots (available in Rivest–Shamir–Adleman (RSA) and Elliptic Curve Cryptography (ECC) key types), the platforms where each root is trusted, how a Certificate Authority (CA) uses cross-signing for backward compatibility, the upcoming roots for email, server, and code-signing certificates, and frequently asked questions. By the end, you will know which root certificate a Sectigo-issued certificate chains back to and how to view or download each root.
What is a root certificate?
A root certificate is a self-signed certificate that a software or operating system (OS) vendor includes in its trust store, so that users and clients of that product automatically trust it. A Certificate Authority (CA) such as Sectigo often controls multiple root certificates; generally, the older the root, the more widely it is distributed across older platforms.
Sectigo's four modern root certificates
Sectigo currently operates four modern root certificates. Each one can be viewed and downloaded from its crt.sh link.
|
Root certificate |
Key type |
View / download |
|
USERTrust RSA Certification Authority |
RSA | |
|
USERTrust ECC Certification Authority |
ECC | |
|
COMODO RSA Certification Authority |
RSA | |
|
COMODO ECC Certification Authority |
ECC |
Where the modern roots are trusted
Sectigo's four modern root certificates were added to the following platforms:
|
Vendor |
Platform and version |
|
Apple |
macOS Sierra 10.12.1 Public Beta 2; iOS 10 |
|
Microsoft |
Windows XP (via Automatic Root Update). Note: ECC was not supported by Windows until Vista. Windows Phone 7 |
|
Mozilla |
Firefox 3.0.4 (COMODO ECC Certification Authority); Firefox 36 (the other three modern roots) |
|
|
Android 2.3 (COMODO ECC Certification Authority); Android 5.1 (the other three modern roots) |
|
Oracle |
Java JRE 8u51 |
|
Opera |
Browser release in December 2012 |
|
360 Browser |
SE 10.1.1550.0 and Extreme browser 11.0.2031.0 |
Cross-signing for backward compatibility
Cross-signing is when one root certificate is used to sign another, so that clients can chain back to a more widely trusted root. To ensure compatibility across as many platforms as possible, a Certificate Authority (CA) generates cross-certificates using the same public key and Subject Distinguished Name (DN) as the root being signed; browsers and clients then chain back to the “best” root certificate they trust.
Each of Sectigo's four modern roots is cross-signed by an older Sectigo root, AAA Certificate Services (crt.sh/?id=331986). This extends trust to legacy versions of software, including:
|
Vendor |
Legacy version supported |
|
Apple |
iOS 3; macOS 10.4 |
|
|
Android 2.3 |
|
Mozilla |
Firefox 1 |
|
Oracle |
Java JRE 1.5.0_08 |
The cross-certificates signed by AAA Certificate Services for each modern root are:
|
Modern root (cross-signed by AAA Certificate Services) |
View / download |
|
USERTrust RSA Certification Authority | |
|
USERTrust ECC Certification Authority | |
|
COMODO RSA Certification Authority | |
|
COMODO ECC Certification Authority |
Upcoming root certificates
Sectigo is introducing new root certificates, in both RSA and ECC key types, for the following certificate products. Validation levels are Domain Validation (DV), Organization Validation (OV), and Extended Validation (EV).
|
Product |
Effective |
RSA root |
ECC root |
|
Secure/Multipurpose Internet Mail Extensions (S/MIME) email protection |
After March 1, 2025 |
Sectigo Public Email Protection Root R46 (crt.sh/?d=4256644602) |
Sectigo Public Email Protection Root E46 (crt.sh/?d=4256644601) |
|
DV TLS |
After June 2, 2025 |
Sectigo Public Server Authentication Root R46 (crt.sh/?d=4256644734) |
Sectigo Public Server Authentication Root E46 (crt.sh/?d=4256644603) |
|
OV TLS |
After May 15, 2025 |
Sectigo Public Server Authentication Root R46 (crt.sh/?d=4256644734) |
Sectigo Public Server Authentication Root E46 (crt.sh/?d=4256644603) |
|
EV TLS |
After April 15, 2025 |
Sectigo Public Server Authentication Root R46 (crt.sh/?d=4256644734) |
Sectigo Public Server Authentication Root E46 (crt.sh/?d=4256644603) |
|
Code signing (cross-signed with USERTrust root) |
— |
OV Sectigo Public Code Signing Root R46 and Sectigo Public Code Signing Root R46 (download links in the source article) |
— |
Frequently asked questions
When do Sectigo's root certificates expire?
The AAA Certificate Services root expires in 2028 but will be retired before that date. Sectigo's four modern root certificates expire in 2038.
Is cross-signing still required?
The need for cross-signing for legacy compatibility is diminishing over time, because most modern, up-to-date software already has Sectigo's modern roots embedded in its trust store. Cross-signing remains useful only for older legacy platforms.
How can I view or download a Sectigo root or cross-certificate?
Each root and cross-certificate can be viewed and downloaded from the crt.sh links listed in the tables in this article.
Need assistance?
Contact our team for help with your purchase or issuing your certificate.
Live chat
Click the button below or click "Chat with an Expert" to start chatting with us now!
