Sectigo Root Certificate expiring May 30, 2020

AddTrust External CA Root that was used to sign Sectigo certificates expired on May 30, 2020.

Does this affect me?

If your website or other online service uses other applications or integrations such as APIs, cURL, OpenSSL, etc. you may have experienced problems or outages. If you have had any service disruptions or errors or your visitors use browsers older than 2015 and report issues, you will need to take action to update the service. See the full list of affected systems.

Check if you use the expired Root:

  1. Go to decoder.link.
  2. Fill in the hostname of your service and the corresponding port.
  3. Click "Check".
  4. Scroll down to the "Certificate # 3" section.
  5. If you see "AddTrust External CA Root" as "Issuer Common Name", please follow the next steps. Otherwise, the service is not affected by the issue.

How can I fix the issue?

There are 2 ways to fix it, the preferred option depends on your server type and its configuration. The easiest one is to update the CA-bundle. As this option doesn’t require reissue, the fix will be instant.

If you don’t have the option to update the CA-bundle, the only way for you to start using the new Root, is to reissue your SSL certificate. The fix will take the time necessary for the Certificate Authority to validate your SSL.

Option 1 (recommended): Update the CA-bundle

Download SSL with new CA-bundle from your account
  1. Go to the "Domain List" section. Make sure you have the filter set to "All products".
  2. Locate the affected SSL under the corresponding domain name.
  3. Click "Manage" next to the certificate.
  4. Click "Download" next to the affected certificate to get the SSL with updated CA-bundle that contains the new Root
  5. Install the downloaded SSL with the updated CA-bundle on your server. Based on server type and its configuration, you’ll need to update the CA-bundle only or re-install the SSL from scratch. Please contact your hosting support, if you need assistance.
Download CA-bundle separately

If you don’t have access to your Namecheap account, you can download a new CA-bundle with the new Root following this guide:
  1. Go to decoder.link.
  2. Fill in the hostname of your service and the corresponding port.
  3. Click "Check".
  4. Scroll down to "Certificate # 1 – Common Name: yoursite.com".
  5. Check the "Issuer Common Name" and download the bundle corresponding to your SSL type. Extract the files from the downloaded bundle, and re-install your certificate on your hosting server.

Issuer Common Name

Bundle

Sectigo RSA

SHA-2 root (current):

DV SSL bundle

OV SSL bundle

EV SSL bundle


SHA-1 root (supported by legacy systems):

DV SSL bundle

OV SSL bundle

EV SSL bundle

Sectigo ECC

SHA-2 root (current):

DV SSL bundle

OV SSL bundle

EV SSL bundle


SHA-1 root (supported by legacy systems):

DV SSL bundle

OV SSL bundle

EV SSL bundle

Comodo RSA

SHA-2 root (current):

DV SSL bundle


OV SSL bundle


EV SSL bundle

Comodo ECC

SHA-2 root (current):

DV SSL bundle


OV SSL bundle


EV SSL bundle


Option 2: Reissue and install your SSL

  1. Go to the "Domain List" section. Make sure you have the filter set to "All products".
  2. Locate the affected SSL under the corresponding domain name.
  3. Click "Manage" next to the certificate.
  4. Click "Reissue".
  5. When the certificate is reissued, you will need to install it. Please contact your hosting support if you need help with SSL installation.

Updated
6/18/2020

Viewed
3818 times

Comments

We welcome your comments, questions, corrections and additional information relating to this article. Your comments may take some time to appear. Please be aware that off-topic comments will be deleted.

If you need specific help with your account, feel free to contact our Support Team. Thank you.

Need help? We're always here for you.

× Close