May 30 AddTrust Root Expiration Explained
This past Saturday Sectigo’s twenty-year-old AddTrust legacy root expired. Until its expiration, Sectigo maintained this root in order to provide the broadest possible support among older systems. While the vast majority of customers and use cases experienced no problems whatsoever (and most likely were unaware that the root expiration had even occurred), a small minority of users experienced service problems due to client systems that were incapable of using Sectigo’s modern COMODO root.
For a full technical explanation of this root expiration and what to do about it, see our Knowledgebase article and accompanying FAQ. Additionally, here are answers to some of the common questions we have received about this expiration.
Q: Why did the expiration happen?
By the nature of PKI all certificates expire, including root certificates and intermediates. Certificate expiration is essential to the health of our cryptographic systems as it assures the eventual replacement of all elements of the system by newer ones that use the best security practices of the time. Public PKI systems were designed this way from the very beginning, and no CA has the power to change the fact that expirations happen nor to prevent or delay an upcoming expiration.
This particular root was issued in the year 2000 for twenty years, and its eventual May 30, 2020 expiration has been a matter of public record for its entire lifespan.
Q: Why did you provide a root that you knew was going to expire?
All roots will expire. In the case of the AddTrust root, we have supported it for many years in order to provide the broadest possible support for old systems. Discontinuing trust for that root ahead of expiration may have caused outages and problems for use cases that legitimately depended on the presence of that root. To minimize disruption, we began communicating about the upcoming expiration with known users of this legacy root in 2019.
Q: What systems were affected?
While an inventory of every affected system would not be possible, all or nearly all affected systems are old enough that they don’t support modern root updating mechanisms. Carnegie Mellon University supplies this useful list of known examples:
- Apple Mac OS X 10.11 (El Capitan) or earlier
- Apple iOS 9 or earlier
- Google Android 5.0 or earlier.
- Microsoft Windows Vista & 7 if the Update Root Certificates Feature has been disabled since before June 2010
- Microsoft Windows XP if an Automatic Root Update has not been received since before June 2010
- Mozilla Firefox 35 or earlier
- Oracle Java 8u50 or earlier
- Embedded devices (especially copy machines) that have not installed a firmware update since before mid 2015
- OpenSSL-based client software that uses libraries prior to version 1.1.1
- OpenLDAP clients on Red Hat Enterprise Linux 6 and 7
Q: What do I do if I still need legacy support?
For business processes that depend on very old systems, Sectigo has made available a new legacy root for cross-signing, the “AAA Certificate Services” root. However, please use extreme caution about any process that depends on very old legacy systems. Systems that have not received the updates necessary to support newer roots such as Sectigo’s COMODO root will inevitably be missing other essential security updates and should be considered insecure.
Q: How come I didn’t know about this?
Sectigo contacted the available contacts for all known customers with information on this expiration as well as broadly communicating to the market through customer notifications, blogging, podcasting, and multiple touch points on our social media accounts.
If you believe you did not receive an inbound communication from Sectigo, email us to confirm the contact information for the correct employees are on record for our email distribution list. Changes in roles and responsibilities can lead to communication gaps if vendors are not informed of them.
Q: What should I have done differently to prevent this outage or fire drill?
Our Knowledgebase article and accompanying FAQcontain detailed information for how to deal with a root expiration like this one. Please see these documents for good information on how to defend your organization against future outages when roots expire.
As a general principle it pays to remember that digital certificates are one of the secure foundation stones of all modern computer systems. Make sure you give adequate attention to your digital certificates. Sectigo dealt with many enterprises that were proactively preparing for this expiration. Those that understood the trust stores of the systems they had in place and prepared in advance to identify and resolve issues did not experience problems during this root expiration.
Q: When is Sectigo’s next root expiration?
Sectigo will not experience another expiration for a publicly trusted legacy root until 2028. Sectigo’s main modern root, the COMODO root, is supported by all modern browsers and infrastructure and does not expire until 2038.