Sectigo (Comodo) to start issuing from new Roots on January 14th

On 2nd November we informed you about an announcement from Comodo CA changing its branding to Sectigo.

Yesterday, Sectigo (Comodo CA) announced that it will be entering the next phase of transition: swapping out the old Comodo CA roots on January 14, 2019.

What are Root Certificates?

Every operating system maintains a Root store (sometimes called a trust store) that contains a set of root certificates that are on your system. These roots are very valuable because they can be used to issue trusted digital certificates like SSL/TLS certificates and signing certificates.

When you visit a website and your browser is presented with the site’s SSL/TLS certificate, your browser performs a series of checks to authenticate it. One of those checks involves tracing the signature on the leaf or end-user SSL/TLS certificate back to the certificate whose key signed it.

If it can follow the certificate chain back to one of the roots in whatever trust store it’s using, it will trust the end-user certificate. If not, you get an error and the connection fails.

What is changing?

Sectigo is trying to get away from the Comodo branding, so having Roots and Intermediates that say “Comodo” is not desirable.

Sectigo will begin using its USERTrust Root CAs as opposed to the Comodo Root CAs it had previously been chaining from.

Using the USERTrust Root CAs, Sectigo will spin up its own branded intermediates so that its certificate chain will reflect its new branding.


How Will It Impact Your Website?

This is really something that’s only going to affect the Certificate Authority side of things.

All Comodo-issued certificates will continue to be trusted globally. No action is required from customers, no need to re-issue or replace certificates until expiration.

All current Comodo CA and Sectigo certificates issued off the old roots will continue to work until expiry.

When will these changes take effect?

These changes are set to take effect on January 14, 2019.

As things develop, we at getSSL by iWebz will keep you updated.

Tagged , , , , , .