Enhancements to Root CA and Hierarchies
Sectigo is updating and enhancing Root CA certificates.
Upcoming changes
Mozilla and Chrome have implemented policy adjustments for Root CA certificates. Specifically, starting April 15, 2025, Trust Bits for TLS Certificates tied to the "AAA Certificate Services" Root CA will be omitted in subsequent releases.
Why the change?
Mozilla and the Chrome Root Program have implemented policy changes that limit the usability period of Root CA certificates to a maximum of 15 years after the private key was generated. This change helps to fortify security measures and increases agility. Both parties have thoughtfully outlined a schedule for the initial batches of root certificates that are affected by this, among which our "AAA Certificate Services" Root CA is included in the first batch.
How does this impact you?
Certificates issued by Subordinate CAs that were directly issued by the "AAA Certificate Services" Root CA will no longer be trusted in new releases of Firefox, NSS, and Chrome after April 15, 2025.
If you rely on the “AAA Certificate Services” Root CA for legacy platforms, such as versions of Firefox, and Chrome released prior to April 15, 2025, or use a certificate chain cross-signed by the “AAA Certificate Services” Root CA to support legacy platforms, this change will not have an impact.
Your proactive steps
- Certificate/Key Pinning: We strongly recommend against the use of Certificate/Key Pinning for TLS certificates. If you do have this implemented, please make sure you do not rely on the "AAA Certificate Services" Root CA.
- Subordinate CA Users: If your setup involves a Subordinate CA signed by the "AAA Certificate Services" Root CA, we encourage exploring alternative options.
- Customers with their own branded SubCAs, will need to replace them.
- Customers using our "general purpose" SubCAs issued by AAA, will need to switch to alternatives issued from our UserTrust roots. Please reach out to your account manager and/or support for assistance.
- Stay informed to stay secure: We understand the significance of these changes and assure you that we're dedicated to keeping you informed. Expect updates through our communication channels.