Sectigo Root Certificate expiring May 30, 2020

  News

AddTrust External CA Root that was used to sign Sectigo certificates expired on May 30, 2020.

Does this affect me?

If your website or other online service uses other applications or integrations such as APIs, сURL, OpenSSL, etc. you may have experienced problems or outages. If you have had any service disruptions or errors or your visitors use browsers older than 2015 and report issues, you will need to take action to update the service. See the full list of affected systems

Check if you use expired Root:

  1. Go to decoder.link.
  2. Fill in the hostname of your service and the corresponding port.
  3. Click “Check”.
  4. Scroll down to the “Certificate # 3”
  5. Check “Issuer Common Name”: AddTrust External CA Root — if you see this, you use expired root

How can I fix the issue?

There are 2 ways to fix it, the preferred option depends based on your server type and its configuration. The easiest one is to update CA-bundle, as this doesn’t require reissue, the fix will be instant

If you don’t have the option to update CA-bundle, the only way for you to start using a new root, is to reissue your SSL certificate. The fix will take the time necessary for the certificate authority to validate your SSL

Option 1 (recommended): Update CA-bundle

Download SSL with new CA-bundle from your account

  1. Click “Download” next to affected SSL in “My SSL” section of your account to get SSL with updated CA-bundle that contains a new root
  2. Install SSL with an updated CA-bundle on your server. Based on server type and its configuration, you’ll need to update CA-bundle only or re-install SSL from scratch. Please contact your hosting support, if you need assistance.

Download CA-bundle separately

If you don’t have access to ssls.com account, you can download a new CA-bundle with updated root following this guide:

  1. Go to decoder.link.
  2. Fill in the hostname of your service and the corresponding port.
  3. Click “Check”
  4. Scroll down to “Certificate # 1 – Common Name: yoursite.com”
  5. Check the “Issuer Common Name” and Download bundle corresponding to your SSL type. Extract the files from the downloaded bundle, and re-install your certificate on your hosting server.
Issuer Common NameBundle
Sectigo RSASHA-2 root (current):
DV SSL bundle
OV SSL bundle
EV SSL bundle

SHA-1 root (supported by legacy systems):
DV SSL bundle
OV SSL bundle
EV SSL bundle
Sectigo ECCSHA-2 root (current):
DV SSL bundle
OV SSL bundle
EV SSL bundle

SHA-1 root (supported by legacy systems):
DV SSL bundle
OV SSL bundle
EV SSL bundle
Comodo RSASHA-2 root (current):
DV SSL bundle

OV SSL bundle

EV SSL bundle
Comodo ECCSHA-2 root (current):
DV SSL bundle

OV SSL bundle

EV SSL bundle

Option 2: Reissue and install your SSL

  1. Log in to your account
  2. Go to “My SSL” section and click “Details” next to the affected certificate
  3. Click “Reissue”
  4. When the certificate is reissued, you will need to install it. Please contact your hosting support, if you need help with SSL installation