Sectigo Public Root CAs Migration

FAQs

Sectigo continues to lead the way in delivering trusted digital security. With the successful incorporation of our new Public Root CAs into major root stores, including Mozilla, Microsoft, Apple, and Google/Chrome, we’re entering a new phase of certificate issuance.

This FAQ is designed to address common questions and concerns about the upcoming migration, helping you stay informed and prepared.

Key dates to keep in mind:

S/MIME certificates will transition on March 1, 2025
EV TLS on April 15, 2025
OV TLS on May 15, 2025
DV TLS on June 2, 2025

To obtain the default Root and Subordinate CA certificates please click on the respective FAQ question on the right.

Please don’t hesitate to contact us for help in ensuring a smooth transition.

What are Sectigo Public Root CAs, and why is this important?

Sectigo Public Root CAs (Certificate Authorities) are foundational elements in ensuring that digital certificates are trusted across the web. They are now incorporated into the major root stores (Mozilla, Microsoft, Apple, Google/Chrome). This means your Sectigo certificates will enjoy enhanced security and trust on all modern platforms, ensuring that your websites, email communications, and other digital transactions remain secure.

What is changing with my Sectigo certificates?

Over the next several months, all certificate issuance will migrate to the new Sectigo Public Root CAs. This affects TLS certificates used for website security and S/MIME certificates used for securing emails.

Here are the key dates to keep in mind:

S/MIME Certificates: Issuance will switch to the new roots on March 1, 2025.

EV TLS Certificates: Migration starts April 15, 2025.

OV TLS Certificates: Migration starts May 15, 2025.

DV TLS Certificates: Migration starts June 2, 2025.

After these dates, all newly issued certificates will come from the new Public Root CAs.

The change-over will happen at an some point during the above stated dates.

What do I need to do to prepare?

To avoid any disruptions in your certificate services:

Discontinue Certificate Pinning: Review if you make use of Certificate Pinning in any form. We strongly recommend against this practice. However, should you make use of certificate pinning and are pinning either a Root CA or Subordinate CA, you will need to make sure our new Root CAs and/or Subordinate CAs are accepted.

Update used certificates: If you have hard-coded specific Root CAs and/or Subordinate CAs within your implementation tools, please make sure these are updated to install the appropriate CA certificates after we switch over.

Update your systems: Review your certificate profiles and ensure everything is ready to accept certificates from the new Sectigo Public Roots.

Will this impact existing certificates?

No, your existing certificates will remain valid until they expire. The change only applies to certificates issued after the migration dates mentioned above.

If you hold a Multi-Year subscription certificate, a reissues occurs after migration dates mentioned. Sectigo will supply the new Public Root CAs with your end entity certificate.

What is cross-signing?

CAs often control multiple root certificates, and generally the older the root the more widely distributed it is on older platforms. In order to take advantage of this fact, CAs generate cross certificates to ensure that their certificates are as widely supported as possible. A cross certificate is where one root certificate is used to sign another.

The cross certificate uses the same public key and Subject as the root being signed.

For S/MIME, can you specify which CAs you currently are using and which you will switch to on the set date?

While there are multiple options based on your ordering channel and customized settings, the following are presently, and until March 1st, 2025, the default Root and Subordinate CA certificates:

For RSA based keys:

Root CA: USERTrust RSA Certification Authority (https://crt.sh/?d=1199354)

Subordinate CA: Sectigo RSA Client Authentication and Secure Email CA (https://crt.sh/?d=924467858)

For ECC based keys:

Root CA: USERTrust ECC Certification Authority (https://crt.sh/?d=2841410)

Subordinate CA: Sectigo ECC Client Authentication and Secure Email CA (https://crt.sh/?d=924467856)

Starting March 1st, 2025 the default Root and Subordinate CA certificates will be:

For RSA based keys:

Root CA: Sectigo Public Email Protection Root R46 (https://crt.sh/?d=4256644602)

Subordinate CA: Sectigo Public Email Protection CA R36 (https://crt.sh/?d=4267304694)

For ECC based keys:

Root CA: Sectigo Public Email Protection Root E46 (https://crt.sh/?d=4256644601)

Subordinate CA: Sectigo Public Email Protection CA E36 (https://crt.sh/?d=4267304699)

For EV TLS, can you specify which CAs you currently are using and which you will switch to on the set date?

While there are multiple options based on your ordering channel and customized settings, the following are presently, and until April 15, 2025, the default Root and Subordinate CA certificates:

For RSA based keys:

Root CA: USERTrust RSA Certification Authority (https://crt.sh/?d=1199354)

Subordinate CA: Sectigo RSA Extended Validation Secure Server CA (https://crt.sh/?d=924467854)

For ECC based keys:

Root CA: USERTrust ECC Certification Authority (https://crt.sh/?d=2841410)

Subordinate CA: Sectigo ECC Extended Validation Secure Server CA (https://crt.sh/?d=924467862)

Starting April 15, 2025 the default Root and Subordinate CA certificates will be:

For RSA based keys:

Root CA: Sectigo Public Server Authentication Root R46 (https://crt.sh/?d=4256644734)

Subordinate CA: Sectigo Public Server Authentication CA EV R36 (https://crt.sh/?d=4267304687)

For ECC based keys:

Root CA: Sectigo Public Server Authentication Root E46 (https://crt.sh/?d=4256644603)

Subordinate CA: Sectigo Public Server Authentication CA EV E36 (https://crt.sh/?d=4267304692)

For OV TLS, can you specify which CAs you currently are using and which you will switch to on the set date?

While there are multiple options based on your ordering channel and customized settings, the following are presently, and until May 15, 2025, the default Root and Subordinate CA certificates:

For RSA based keys:

Root CA: USERTrust RSA Certification Authority (https://crt.sh/?d=1199354)

Subordinate CA: Sectigo RSA Organization Validation Secure Server CA (https://crt.sh/?d=924467857)

For ECC based keys:

Root CA: USERTrust ECC Certification Authority (https://crt.sh/?d=2841410)

Subordinate CA: Sectigo ECC Organization Validation Secure Server CA (https://crt.sh/?d=924467859)

Starting May 15, 2025 the default Root and Subordinate CA certificates will be:

For RSA based keys:

Root CA: Sectigo Public Server Authentication Root R46 (https://crt.sh/?d=4256644734)

Subordinate CA: Sectigo Public Server Authentication CA OV R36 (https://crt.sh/?d=4267304698)

For ECC based keys:

Root CA: Sectigo Public Server Authentication Root E46 (https://crt.sh/?d=4256644603)

Subordinate CA: Sectigo Public Server Authentication CA OV E36 (https://crt.sh/?d=4267304689)

For DV TLS, can you specify which CAs you currently are using and which you will switch to on the set date?

While there are multiple options based on your ordering channel and customized settings, the following are presently, and until June 2, 2025, the default Root and Subordinate CA certificates:

For RSA based keys:

Root CA: USERTrust RSA Certification Authority (https://crt.sh/?d=1199354)

Subordinate CA: Sectigo RSA Domain Validation Secure Server CA (https://crt.sh/?d=924467861)

For ECC based keys:

Root CA: USERTrust ECC Certification Authority (https://crt.sh/?d=2841410)

Subordinate CA: Sectigo ECC Domain Validation Secure Server CA (https://crt.sh/?d=924467852)

Starting June 2, 2025 the default Root and Subordinate CA certificates will be:

For RSA based keys:

Root CA: Sectigo Public Server Authentication Root R46 (https://crt.sh/?d=4256644734)

Subordinate CA: Sectigo Public Server Authentication CA DV R36 (https://crt.sh/?d=4267304690)

For ECC based keys:

Root CA: Sectigo Public Server Authentication Root E46 (https://crt.sh/?d=4256644603)

Subordinate CA: Sectigo Public Server Authentication CA DV E36 (https://crt.sh/?d=4267304693)

How will you ensure backwards compatibility with legacy systems?

All our new Root CAs, have been cross-signed by both of our long standing Root CAs:

AAA Certificate Services

USERTrust RSA Certification Authority (For RSA)

USERTrust ECC Certification Authority (For ECC)

Through these cross-signings, we extend the ubiquity of the new Root CAs, so they are also trusted on legacy systems that may not know about these new CA certificates, but do know about the long standing Root CAs mentioned above.

How will this impact partners and customers using their own branded Subordinate CAs?

If you're one of the partners or customers using one or more branded Subordinate CAs, expect further communication. We will reach out to you for replacements of these throughout 2025, to migrate to new SubCAs under the Sectigo Public Root infrastructure.

How is Sectigo preparing for future industry changes?

Sectigo is committed to maintaining its leadership in digital security. We continuously monitor industry trends and standards to ensure that our customers are always equipped with the latest and most secure technologies. This migration is just one step in our ongoing efforts to keep you at the forefront of security practices, now and in the future.

Where can I get more help or information?

For more detailed guidance, feel free to contact our support team or visit Sectigo’s Support Knowledge Base for more details.