picture of tbs certificates
picture of tbs certificates
Our products range

20200210 - Sectigo / Comodo CA: expiration of Addtrust root

The Addtrust External CA root on which were issued all Sectigo, TBS X509 and PositiveSSL RSA server certificates will expire in May 2020.

In order to ensure the recognition of these certificates with browsers, a new channel is now used to issue your certificates

A new chain

Since February 06, 2020 Sectigo, TBS X509 and PositiveSSL certificates use USERTrust RSA Certification Authority as intermediate and Comodo AAA Certificate Services as root.

What consequences?

In most cases no modification is necessary on your installed certificates, they are compatible with browsers issued since 2015. However if your users are still using Android operating systems lower than 4.4 or iOS lower than 9 then we recommend activating the new intermediary pointing to the root COMODO AAA Certificate Services.

Two ways to do it:

Your certificates recognition will be (slightly) impacted by this chain modification:

  • Mobile tools:

    - Better recognition on Apple an Android tools

    - No significant change on the others

  • office browsers:

    - Lost of recognition on Opera (root installed from version 12.12) 12.12), Safari (root installed from version 4.1.3) and Linux (root installed from CA-Certificate 20061027)

    - No change on Windows (any browsers) and Seamonkey

    - Better recognition on Firefox and J2RE (any OS)

After your certificate renewal or reissuance the entire chain will have to be re-installed, not the certificate only.

The advantage of installing or re-installing the entire chain allows old equipment (Android or iOS devices in particular) which do not have the new ROOT certificate USERTrust RSA Certification Authority may go to the end of the certification chain, i.e. to the root AAA Certificate Services

Case of CURL

The CURLtool has a bug (probably inherited from openSSL) to verify chains and dies on a fatal error with

certificate has expired
If you control the server you just need to edit the certificate chain to remove this certificate
s:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
If you can't change the server, you could use the WGET tool which doesn't have this bug.

Useful links