None
<article id="post-4357" class="post-4357 post type-post status-publish format-standard has-post-thumbnail hentry category-https-encryption category-ssl-certificate tag-sectigo-public-root-and-intermediate-ca-migration tag-sectigo-public-root-cas-migration entry" morss_own_score="8.168627450980392" morss_score="16.048180256492977">
<p><span><a href="https://certera.com/blog/">Home</a> » <span>Sectigo New Public Roots and Issuing CAs Hierarchy [2025 Migration Guide]</span></span></p>
<h1>Sectigo New Public Roots and Issuing CAs Hierarchy [2025 Migration Guide]</h1>
<div><img decoding="async" src="https://certera.com/blog/wp-content/plugins/wp-postratings/images/stars/rating_on.gif" title="1 Star"><img decoding="async" src="https://certera.com/blog/wp-content/plugins/wp-postratings/images/stars/rating_on.gif" title="2 Stars"><img decoding="async" src="https://certera.com/blog/wp-content/plugins/wp-postratings/images/stars/rating_on.gif" title="3 Stars"><img decoding="async" src="https://certera.com/blog/wp-content/plugins/wp-postratings/images/stars/rating_on.gif" title="4 Stars"><img decoding="async" src="https://certera.com/blog/wp-content/plugins/wp-postratings/images/stars/rating_on.gif" title="5 Stars"> (<strong>7</strong> votes, average: <strong>5.00</strong> out of 5)</div>
<p><img decoding="async" src="data:image/svg+xml,%3Csvg%20xmlns='http://www.w3.org/2000/svg'%20viewBox='0%200%2016%2016'%3E%3C/svg%3E"> </p>
<figure>
<img decoding="async" src="https://certera.com/blog/wp-content/uploads/2026/01/new-root-cas-migration.webp"> </figure>
<div class="entry-content" morss_own_score="5.528336380255942" morss_score="205.4356232143008">
<p>The majority of certificate outages don’t begin with a breach alert. They are silent at first. One day, a browser warning appears when your website loads, causing users to hesitate and your traffic to decline. </p>
<p>This is due to the fact that most certificate failures are not caused by hackers. They occur as a result of teams failing to notice subtle infrastructure changes that are taking place in the background.</p>
<p><strong>That’s precisely what Sectigo’s Public Root and Intermediate CA migration for 2025 aims to achieve.</strong></p>
<p>On your end, everything might appear to be fine. It still indicates that your <a href="https://certera.com/">SSL certificate</a> is valid. Reminders for renewals are still coming in. Your dashboards remain green. However, trust is actually changing at the browser level, and browsers, rather than your server, determine what is safe.</p>
<p>If you don’t prepare for this migration, browsers will stop trusting certificates issued under older chains. When that happens, the impact is immediate: security warnings, broken HTTPS, failed API calls, and lost user confidence.</p>
<h2>Why Sectigo Reconsidered Its Strategy of Root CA</h2>
<p>Standards of security do not rest on their laurels. Nor can certificate authorities afford to either. This was the case over the last couple of years as browser vendors, as well as root programs, have set the bar high for the aspect of trust. </p>
<p>The regulations that used to be the guiding force in the issuance of certificates are not sufficient to address the current security standards. With those rules being revised, old standard models of certificates became old-fashioned.</p>
<p>That is why Sectigo also left the concept of multi-purpose root CAs and embraced single-purpose Public Root certificates.</p>
<p>The purpose of multi-purpose routes was created at another time. They managed several types of certificates in a single umbrella that made them more complex and risky in the long term. The modern-day security model is biased towards isolation, clarity, and a narrow-scope root, and single-purpose roots provide just that.</p>
<h3>Under this Change, Sectigo is assured of being able to:</h3>
<ul>
<li>Meet evolving <a href="https://certera.com/blog/ca-b-approved-47-day-ssl-tls-validity-by-2029-how-to-prepare/">CA/Browser Forum requirements</a> without last-minute workarounds</li>
<li>Stay aligned with Chrome and Mozilla root program policies, including future enforcement changes</li>
<li>Reduce long-term security exposure by limiting what each root is allowed to do</li>
<li>Preserve trust across browsers, operating systems, and devices, both modern and legacy</li>
</ul>
<p>It is a structural change. Browsers are aggressively implementing these standards, and legacy roots are being eliminated on fixed schedules. The <a href="https://certera.com/blog/what-is-a-ca-certificate-authority-role-pki-trust-hierarchies/">certificate authorities</a> never have the privilege of not doing so, nor do the organisations in which they are entrusted.</p>
<p><strong>Also Read:</strong> <a href="https://certera.com/blog/root-certificate-vs-intermediate-certificate-the-real-difference/">Root Certificate vs Intermediate Certificate</a></p>
<h2>What Single-Purpose Root CAs Actually Mean</h2>
<p>For years, legacy root certificates tried to do everything.</p>
<p>They released various forms of certificates, had numerous applications, and the responsibility continued to expand with time. That leeway had been successful in the earlier days, but it also added complexity, risk, and long-term maintenance issues.</p>
<p>Legacy roots simply did too much. Single-purpose Root CAs take the opposite approach.</p>
<p>They are not generic trust anchors but rather constructed to perform one specific, well-defined purpose. In the case of Sectigo, it would be roots dedicated either to <a href="https://certera.com/buy-ssl-certificates">TLS/SSL</a> or <a href="https://certera.com/smime-certificates">S/MIME</a>, and strongly restricted certificate usage.</p>
<h3>This Design Change delivers Real Security Benefits:</h3>
<ul>
<li>Certificate usage is limited by design, not policy alone</li>
<li>Attack surface shrinks because fewer functions mean fewer ways to abuse trust</li>
<li>Modern browser enforcement rules are met by default, not through exceptions</li>
<li>Forced distrust timelines are avoided because these roots align with current root program expectations.</li>
</ul>
<p>Browsers desire predictability. They desire foundations that act predictably and have limited rules of conduct. Root CAs that are single-purpose offer such clarity.</p>
<h2>The Timeline You Cannot Ignore</h2>
<p>There’s one date you need to remember, and missing it has consequences.</p>
<p><strong><em>Starting January 1, 2026, Sectigo will no longer re-issue SSL certificates under older root or intermediate chains.</em></strong> This isn’t a recommendation. It’s a hard stop.</p>
<p><strong>Once this date passes, any certificate still tied to a legacy chain hits a dead end.</strong> You won’t be able to reissue it. You won’t be able to renew it under the same hierarchy. And waiting until the last moment won’t buy you time.</p>
<p>Once this date passes, any certificate still tied to a legacy chain hits a dead end. You won’t be able to reissue it. You won’t be able to renew it under the same hierarchy. And waiting until the last moment won’t buy you time.</p>
<h3>Here’s how it plays out in the real world:</h3>
<ul>
<li>Old chains mean no renewals</li>
<li>No renewals mean expired certificates</li>
<li><a href="https://certera.com/blog/expired-ssl-certificates-are-risky-14-7-million-people-affected-by-the-mr-cooper-data-breach/">Expired certificates mean outages</a></li>
</ul>
<p>And outages don’t just break encryption. They break user confidence, search rankings, API integrations, and <a href="https://certera.com/blog/what-is-certificate-automation-how-automation-helps-prevent-ssl-attacks/">automated workflows</a> that depend on HTTPS.</p>
<p>Sectigo has already started the migration, and most certificate issuance has moved to the new public roots. The remaining transitions are happening now. The window is closing, and the safest time to act is before browsers force the issue for you.</p>
<p><strong>Also Read:</strong> <a href="https://certera.com/blog/certificate-life-cycle-management-emerging-trends-to-watch-in-2026/">Certificate Management Emerging Trends to Watch in 2026</a></p>
<h2>What Happens If You Stay on Legacy Roots</h2>
<p>Everything looks fine on the surface. The certificate is still valid. The expiration date is months away. Monitoring tools stay quiet. And because nothing appears broken, the issue gets pushed down the priority list.</p>
<p>Until it isn’t fine anymore.</p>
<p>Major browser root programs now enforce mandatory distrust timelines. These aren’t theoretical policies. They are active rules that browsers already follow.</p>
<h3>Here’s what that means in practice:</h3>
<ul>
<li>Legacy roots lose trust once their private keys hit age limits, regardless of certificate validity</li>
<li>Chrome enforces SCTNotAfter dates, which silently invalidate certificates issued after a cutoff point</li>
<li>Mozilla distrust propagates through NSS, impacting Linux, BSD, and countless enterprise systems</li>
</ul>
<p>Once distrust kicks in, the browser doesn’t care that your certificate hasn’t expired. Trust disappears anyway.</p>
<p>You are just one browser update away and one policy enforcement, and suddenly, users see security warnings, APIs reject connections, and encrypted traffic stops flowing. By the time it shows up in your dashboards, your users have already noticed, and many of them have already left.</p>
<p><strong>Also Read:</strong> <a href="https://certera.com/blog/what-is-certificate-management-why-do-businesses-need-centralized-certificate-management-solution/">What is Certificate Management? Why Do Businesses Need Centralized Certificate Management Solution?</a></p>
<h2>How the New Sectigo Certificate Chain Works</h2>
<figure><img decoding="async" src="data:image/svg+xml,%3Csvg%20xmlns='http://www.w3.org/2000/svg'%20viewBox='0%200%20994%20902'%3E%3C/svg%3E"></figure>
<p>Sectigo didn’t just replace old certificates with new ones. They redesigned the entire trust model for stability, longevity, and compatibility.</p>
<p>The new <a href="https://certera.com/blog/what-is-a-ca-certificate-authority-role-pki-trust-hierarchies/">certificate chain</a> follows a clear and intentional structure.</p>
<h3>First, all new certificates are now issued under modern public root CAs: </h3>
<p>These roots are single-purpose, tightly scoped, and fully aligned with current browser and root program requirements. This ensures long-term trust without running into future enforcement surprises.</p>
<h3>Second, cross-signed roots act as the compatibility bridge:</h3>
<p>They allow certificates issued under new roots to chain back to well-established legacy roots such as USERTrust, when older devices or operating systems need them. This keeps legacy environments working without weakening security for modern platforms.</p>
<h3>Lastly, legacy roots do not issue certificates anymore:</h3>
<p>They exist in the form of trust anchors. They are not to establish chains but to approve those that need to be. This hugely minimizes risk and maintains compatibility.</p>
<p><strong>The outcome is a pure division of roles:</strong></p>
<ul>
<li>New roots handle issuance</li>
<li>Cross-signed roots address compatibility.</li>
<li>Legacy roots only deal with trust.</li>
</ul>
<h2>Sectigo’s New Roots and Issuing CA for RSA, ECC Trust Path</h2>
<figure><img decoding="async" src="data:image/svg+xml,%3Csvg%20xmlns='http://www.w3.org/2000/svg'%20viewBox='0%200%20667%20271'%3E%3C/svg%3E"></figure>
<figure><img decoding="async" src="data:image/svg+xml,%3Csvg%20xmlns='http://www.w3.org/2000/svg'%20viewBox='0%200%20662%20256'%3E%3C/svg%3E"></figure>
<h2>What is in your Sectigo SSL Certificate Folder?</h2>
<p>Once the SSL files have been downloaded, it is easy to forget them. It is where it usually begins to create issues.</p>
<p>Each file in the Sectigo folder has a purpose.</p>
<figure><img decoding="async" src="data:image/svg+xml,%3Csvg%20xmlns='http://www.w3.org/2000/svg'%20viewBox='0%200%20569%20309'%3E%3C/svg%3E"></figure>
<p>You will be displayed with your domain certificate. This is the one that is attached to your site and which makes HTTPS operational.</p>
<p><strong>Intermediate certificates are also present</strong>. These come in between your site and the root of Sectigo and assist the browsers in ensuring that your certificate is genuine.</p>
<p>You can observe a <strong>cross-signed root certificate</strong>. This is because of older systems that have not yet been updated to the newer root, meaning that your site still functions with them.</p>
<p>The <strong>USERTrust root certificate</strong> is also included with Sectigo. It is still being used by many older devices, and taking it away too soon will lead to trust errors.</p>
<p>Occasionally, it has a <a href="https://certera.com/kb/what-is-a-ca-bundle-in-ssl-and-how-do-you-create-it/">CA bundle</a>, which simply bundles everything together so as to be able to ease setup.</p>
<p>The lesson learned is easy: install every file you’re given. Miss one, and browsers won’t trust your site.</p>
<h2>Sectigo Certificate Migration Timeline</h2>
<figure>
<table>
<tbody>
<tr>
<td><strong>Certificate Type</strong></td>
<td><strong>Issued </strong><strong>Before</strong><strong> This Date (Legacy Chain)</strong></td>
<td><strong>Issued </strong><strong>After</strong><strong> This Date (New Chain)</strong></td>
<td><strong>New Intermediate CA</strong></td>
<td><strong>New Root CA (Trusted Chain)</strong></td>
<td><strong>Action Required</strong></td>
</tr>
<tr>
<td><strong><a href="https://certera.com/ssl-types/ev-ssl">EV SSL</a></strong></td>
<td>Before <strong>Apr 15, 2025</strong></td>
<td>On/After <strong>Apr 15, 2025</strong></td>
<td>Sectigo Public Server Authentication <strong>CA EV R36 / E36</strong></td>
<td>Sectigo Public Server Authentication <strong>Root R46 / E46</strong> (cross-signed via USERTrust)</td>
<td>Verify chain if issued before date</td>
</tr>
<tr>
<td><strong><a href="https://certera.com/ssl-types/ov-ssl">OV SSL</a></strong></td>
<td>Before <strong>May 15, 2025</strong></td>
<td>On/After <strong>May 15, 2025</strong></td>
<td>Sectigo Public Server Authentication <strong>CA OV R36 / E36</strong></td>
<td>Sectigo Public Server Authentication <strong>Root R46 / E46</strong> (cross-signed via USERTrust)</td>
<td>Update on renewal or reissue</td>
</tr>
<tr>
<td><strong><a href="https://certera.com/ssl-types/dv-ssl">DV SSL</a></strong></td>
<td>Before <strong>June 2, 2025</strong></td>
<td>On/After <strong>June 2, 2025</strong></td>
<td>Sectigo Public Server Authentication <strong>CA DV R36 / E36</strong></td>
<td>Sectigo Public Server Authentication <strong>Root R46 / E46</strong> (cross-signed via USERTrust)</td>
<td>Check older certs immediately</td>
</tr>
<tr>
<td><strong><a href="https://certera.com/smime/digicert-smime-email-certificate">S/MIME (Email)</a></strong></td>
<td>Before <strong>Mar 1, 2025</strong></td>
<td>On/After <strong>Mar 1, 2025</strong></td>
<td>Sectigo Public Email Protection <strong>CA R36</strong></td>
<td>Sectigo Public Email Protection <strong>Root R46 / E46</strong></td>
<td>Update trust stores</td>
</tr>
<tr>
<td><strong><a href="https://certera.com/code-signing">Code Signing (OV & EV)</a></strong></td>
<td>Early 2025 (legacy roots)</td>
<td>2025 onward (phased)</td>
<td> Sectigo Public Code Signing <strong>CA R36</strong></td>
<td>Sectigo Public Code Signing <strong>Root R46</strong> (USERTrust cross-signed)</td>
<td>Mandatory for future signing</td>
</tr>
</tbody>
</table>
</figure>
<p><strong>Recommended: </strong><a href="https://www.sectigo.com/knowledge-base/detail/Access-New-Sectigo-Certificate-Chain">Access New Sectigo Public Certificate Chain Here</a></p>
<h2>How to Set Up the New Sectigo Certificate Chain</h2>
<p>The following steps are to be taken when installing or renewing your Sectigo SSL certificate to prevent a problem of trust.</p>
<ul>
<li><strong>Install the entire certificate package:</strong> Use the folder of the SSL certificate as it was on your Sectigo account or email. Minimise the downloading of files.</li>
<li><strong>Install your domain (leaf) certificate:</strong> It is the certificate that is issued to your domain (such as yourdomaincom.crt). Install it on your server as the main certificate for SSL.</li>
<li><strong>Install the intermediate certificates:</strong> Install the appropriate intermediate CA depending on the type of certificate that you have (DV, OV, or EV – R36 or E36). Such certificates associate your domain with the public root of Sectigo.</li>
<li><strong>Install the cross-signed root certificate</strong>: Install the cross-signed root, which is chained on the legacy USERTrust root. This will make it compatible with older systems and operating systems.</li>
<li><strong>Install CA bundle:</strong> In case your server supports a CA bundle, it is better to install the <strong>MyCA_Bundle.ca-bundle file</strong> rather than installing the separate certificates to prevent ordering problems.</li>
<li><strong>Check the complete certificate chain:</strong> Once you have installed the certificate, test the chain using an <a href="https://certera.com/ssl-tools/ssl-checker">SSL checker</a> to ensure that the chain is complete and is relied upon by the browsers.</li>
</ul>
<h2>Disable or Delete Untrusted Root from Microsoft Trust Store (Recommended)</h2>
<p>If older devices fail to trust your certificate on a Windows server, Windows may select the <strong>self-signed Sectigo root</strong> instead of <strong>the USERTrust cross-signed root.</strong> </p>
<p><strong>To fix this: </strong></p>
<ul>
<li>Log in to the server as an administrator and open <strong>Microsoft Management Console (mmc).</strong> </li>
</ul>
<ul>
<li>Add the <strong>Certificates</strong> snap-in for the <strong>Local Computer.</strong> </li>
</ul>
<ul>
<li>In <strong>Trusted Root Certification Authorities</strong>, locate the certificate: </li>
</ul>
<ul>
<li><strong>Issued to:</strong> Sectigo Public Server Authentication Root R46 (or E46) </li>
</ul>
<ul>
<li><strong>Issued by:</strong> Sectigo Public Server Authentication Root R46 (or E46) </li>
</ul>
<ul>
<li>Disable or delete this certificate <strong>only if</strong> the Issued to and Issued by values are the same. </li>
</ul>
<ul>
<li>Keep the <strong>USERTrust-issued cross-signed root</strong> enabled. </li>
</ul>
<p>This step is required <strong>only when trust issues occur on Windows systems.</strong> Do not remove root certificates unless the problem is confirmed. </p>
<h2>Best Practices to Avoid Downtime</h2>
<p>Most <a href="https://certera.com/blog/what-are-certificate-outages-how-to-avoid-ssl-certificate-outages-with-acme/">certificate outages</a> happen because of small setup mistakes, not hacking.</p>
<p><strong>To avoid issues:</strong></p>
<ul>
<li>Install every certificate you’re given. Missing even one breaks the trust chain.</li>
<li>Use the CA bundle if your server supports it. It reduces mistakes.</li>
<li>Don’t pin roots or intermediates. When certificates change, pinned setups fail.</li>
<li>Keep trust stores updated on servers, containers, and apps.</li>
</ul>
<p>SSL certificates aren’t one-time setup items. If you don’t maintain them, browsers will eventually stop trusting them.</p>
<h2>Conclusion</h2>
<p>The Sectigo Public Root and Intermediate CA migration isn’t a future problem. It’s a present responsibility.</p>
<p>The changes are already in motion, browsers are already enforcing new trust rules, and the deadline is fixed. Teams that prepare now will transition quietly without impact. Teams that wait will discover the change only when users start seeing warnings.</p>
<p>Audit your certificate chains. Install the full trust path. Move to the new public roots with confidence.</p>
<p>Because when it comes to certificate trust, being proactive is the only safe option. Don’t hesitate to <a href="https://certera.com/support">contact our SSL Experts</a> for any query!</p>
</div>
<p><img decoding="async" src="data:image/svg+xml,%3Csvg%20xmlns='http://www.w3.org/2000/svg'%20viewBox='0%200%20132%20132'%3E%3C/svg%3E"></p>
<h2>
Janki Mehta</h2>
<p> Janki Mehta is a passionate Cyber-Security Enthusiast who keenly monitors the latest developments in the Web/Cyber Security industry. She puts her knowledge into practice and helps web users by arming them with the necessary security measures to stay safe in the digital world.</p>
</article><p>The majority of certificate outages don’t begin with a breach alert. They are silent at first. One day, a browser warning appears when your website loads, causing users to hesitate and your traffic to decline. </p><p>This is due to the fact that most certificate failures are not caused by hackers. They occur as a result of teams failing to notice subtle infrastructure changes that are taking place in the background.</p><p><strong>That’s precisely what Sectigo’s Public Root and Intermediate CA migration for 2025 aims to achieve.</strong></p><p>On your end, everything might appear to be fine. It still indicates that your <a href="https://certera.com/">SSL certificate</a> is valid. Reminders for renewals are still coming in. Your dashboards remain green. However, trust is actually changing at the browser level, and browsers, rather than your server, determine what is safe.</p><p>If you don’t prepare for this migration, browsers will stop trusting certificates issued under older chains. When that happens, the impact is immediate: security warnings, broken HTTPS, failed API calls, and lost user confidence.</p><h2>Why Sectigo Reconsidered Its Strategy of Root CA</h2><p>Standards of security do not rest on their laurels. Nor can certificate authorities afford to either. This was the case over the last couple of years as browser vendors, as well as root programs, have set the bar high for the aspect of trust. </p><p>The regulations that used to be the guiding force in the issuance of certificates are not sufficient to address the current security standards. With those rules being revised, old standard models of certificates became old-fashioned.</p><p>That is why Sectigo also left the concept of multi-purpose root CAs and embraced single-purpose Public Root certificates.</p><p>The purpose of multi-purpose routes was created at another time. They managed several types of certificates in a single umbrella that made them more complex and risky in the long term. The modern-day security model is biased towards isolation, clarity, and a narrow-scope root, and single-purpose roots provide just that.</p><h3>Under this Change, Sectigo is assured of being able to:</h3><ul>
<li>Meet evolving <a href="https://certera.com/blog/ca-b-approved-47-day-ssl-tls-validity-by-2029-how-to-prepare/">CA/Browser Forum requirements</a> without last-minute workarounds</li>
<li>Stay aligned with Chrome and Mozilla root program policies, including future enforcement changes</li>
<li>Reduce long-term security exposure by limiting what each root is allowed to do</li>
<li>Preserve trust across browsers, operating systems, and devices, both modern and legacy</li>
</ul><p>It is a structural change. Browsers are aggressively implementing these standards, and legacy roots are being eliminated on fixed schedules. The <a href="https://certera.com/blog/what-is-a-ca-certificate-authority-role-pki-trust-hierarchies/">certificate authorities</a> never have the privilege of not doing so, nor do the organisations in which they are entrusted.</p><p><strong>Also Read:</strong> <a href="https://certera.com/blog/root-certificate-vs-intermediate-certificate-the-real-difference/">Root Certificate vs Intermediate Certificate</a></p><h2>What Single-Purpose Root CAs Actually Mean</h2><p>For years, legacy root certificates tried to do everything.</p><p>They released various forms of certificates, had numerous applications, and the responsibility continued to expand with time. That leeway had been successful in the earlier days, but it also added complexity, risk, and long-term maintenance issues.</p><p>Legacy roots simply did too much. Single-purpose Root CAs take the opposite approach.</p><p>They are not generic trust anchors but rather constructed to perform one specific, well-defined purpose. In the case of Sectigo, it would be roots dedicated either to <a href="https://certera.com/buy-ssl-certificates">TLS/SSL</a> or <a href="https://certera.com/smime-certificates">S/MIME</a>, and strongly restricted certificate usage.</p><h3>This Design Change delivers Real Security Benefits:</h3><ul>
<li>Certificate usage is limited by design, not policy alone</li>
<li>Attack surface shrinks because fewer functions mean fewer ways to abuse trust</li>
<li>Modern browser enforcement rules are met by default, not through exceptions</li>
<li>Forced distrust timelines are avoided because these roots align with current root program expectations.</li>
</ul><p>Browsers desire predictability. They desire foundations that act predictably and have limited rules of conduct. Root CAs that are single-purpose offer such clarity.</p><h2>The Timeline You Cannot Ignore</h2><p>There’s one date you need to remember, and missing it has consequences.</p><p><strong><em>Starting January 1, 2026, Sectigo will no longer re-issue SSL certificates under older root or intermediate chains.</em></strong> This isn’t a recommendation. It’s a hard stop.</p><p><strong>Once this date passes, any certificate still tied to a legacy chain hits a dead end.</strong> You won’t be able to reissue it. You won’t be able to renew it under the same hierarchy. And waiting until the last moment won’t buy you time.</p><p>Once this date passes, any certificate still tied to a legacy chain hits a dead end. You won’t be able to reissue it. You won’t be able to renew it under the same hierarchy. And waiting until the last moment won’t buy you time.</p><h3>Here’s how it plays out in the real world:</h3><ul>
<li>Old chains mean no renewals</li>
<li>No renewals mean expired certificates</li>
<li><a href="https://certera.com/blog/expired-ssl-certificates-are-risky-14-7-million-people-affected-by-the-mr-cooper-data-breach/">Expired certificates mean outages</a></li>
</ul><p>And outages don’t just break encryption. They break user confidence, search rankings, API integrations, and <a href="https://certera.com/blog/what-is-certificate-automation-how-automation-helps-prevent-ssl-attacks/">automated workflows</a> that depend on HTTPS.</p><p>Sectigo has already started the migration, and most certificate issuance has moved to the new public roots. The remaining transitions are happening now. The window is closing, and the safest time to act is before browsers force the issue for you.</p><p><strong>Also Read:</strong> <a href="https://certera.com/blog/certificate-life-cycle-management-emerging-trends-to-watch-in-2026/">Certificate Management Emerging Trends to Watch in 2026</a></p><h2>What Happens If You Stay on Legacy Roots</h2><p>Everything looks fine on the surface. The certificate is still valid. The expiration date is months away. Monitoring tools stay quiet. And because nothing appears broken, the issue gets pushed down the priority list.</p><p>Until it isn’t fine anymore.</p><p>Major browser root programs now enforce mandatory distrust timelines. These aren’t theoretical policies. They are active rules that browsers already follow.</p><h3>Here’s what that means in practice:</h3><ul>
<li>Legacy roots lose trust once their private keys hit age limits, regardless of certificate validity</li>
<li>Chrome enforces SCTNotAfter dates, which silently invalidate certificates issued after a cutoff point</li>
<li>Mozilla distrust propagates through NSS, impacting Linux, BSD, and countless enterprise systems</li>
</ul><p>Once distrust kicks in, the browser doesn’t care that your certificate hasn’t expired. Trust disappears anyway.</p><p>You are just one browser update away and one policy enforcement, and suddenly, users see security warnings, APIs reject connections, and encrypted traffic stops flowing. By the time it shows up in your dashboards, your users have already noticed, and many of them have already left.</p><p><strong>Also Read:</strong> <a href="https://certera.com/blog/what-is-certificate-management-why-do-businesses-need-centralized-certificate-management-solution/">What is Certificate Management? Why Do Businesses Need Centralized Certificate Management Solution?</a></p><h2>How the New Sectigo Certificate Chain Works</h2><figure><img decoding="async" src="data:image/svg+xml,%3Csvg%20xmlns='http://www.w3.org/2000/svg'%20viewBox='0%200%20994%20902'%3E%3C/svg%3E"></figure><p>Sectigo didn’t just replace old certificates with new ones. They redesigned the entire trust model for stability, longevity, and compatibility.</p><p>The new <a href="https://certera.com/blog/what-is-a-ca-certificate-authority-role-pki-trust-hierarchies/">certificate chain</a> follows a clear and intentional structure.</p><h3>First, all new certificates are now issued under modern public root CAs: </h3><p>These roots are single-purpose, tightly scoped, and fully aligned with current browser and root program requirements. This ensures long-term trust without running into future enforcement surprises.</p><h3>Second, cross-signed roots act as the compatibility bridge:</h3><p>They allow certificates issued under new roots to chain back to well-established legacy roots such as USERTrust, when older devices or operating systems need them. This keeps legacy environments working without weakening security for modern platforms.</p><h3>Lastly, legacy roots do not issue certificates anymore:</h3><p>They exist in the form of trust anchors. They are not to establish chains but to approve those that need to be. This hugely minimizes risk and maintains compatibility.</p><p><strong>The outcome is a pure division of roles:</strong></p><ul>
<li>New roots handle issuance</li>
<li>Cross-signed roots address compatibility.</li>
<li>Legacy roots only deal with trust.</li>
</ul><h2>Sectigo’s New Roots and Issuing CA for RSA, ECC Trust Path</h2><figure><img decoding="async" src="data:image/svg+xml,%3Csvg%20xmlns='http://www.w3.org/2000/svg'%20viewBox='0%200%20667%20271'%3E%3C/svg%3E"></figure><figure><img decoding="async" src="data:image/svg+xml,%3Csvg%20xmlns='http://www.w3.org/2000/svg'%20viewBox='0%200%20662%20256'%3E%3C/svg%3E"></figure><h2>What is in your Sectigo SSL Certificate Folder?</h2><p>Once the SSL files have been downloaded, it is easy to forget them. It is where it usually begins to create issues.</p><p>Each file in the Sectigo folder has a purpose.</p><figure><img decoding="async" src="data:image/svg+xml,%3Csvg%20xmlns='http://www.w3.org/2000/svg'%20viewBox='0%200%20569%20309'%3E%3C/svg%3E"></figure><p>You will be displayed with your domain certificate. This is the one that is attached to your site and which makes HTTPS operational.</p><p><strong>Intermediate certificates are also present</strong>. These come in between your site and the root of Sectigo and assist the browsers in ensuring that your certificate is genuine.</p><p>You can observe a <strong>cross-signed root certificate</strong>. This is because of older systems that have not yet been updated to the newer root, meaning that your site still functions with them.</p><p>The <strong>USERTrust root certificate</strong> is also included with Sectigo. It is still being used by many older devices, and taking it away too soon will lead to trust errors.</p><p>Occasionally, it has a <a href="https://certera.com/kb/what-is-a-ca-bundle-in-ssl-and-how-do-you-create-it/">CA bundle</a>, which simply bundles everything together so as to be able to ease setup.</p><p>The lesson learned is easy: install every file you’re given. Miss one, and browsers won’t trust your site.</p><h2>Sectigo Certificate Migration Timeline</h2><figure>
<table>
<tbody>
<tr>
<td><strong>Certificate Type</strong></td>
<td><strong>Issued </strong><strong>Before</strong><strong> This Date (Legacy Chain)</strong></td>
<td><strong>Issued </strong><strong>After</strong><strong> This Date (New Chain)</strong></td>
<td><strong>New Intermediate CA</strong></td>
<td><strong>New Root CA (Trusted Chain)</strong></td>
<td><strong>Action Required</strong></td>
</tr>
<tr>
<td><strong><a href="https://certera.com/ssl-types/ev-ssl">EV SSL</a></strong></td>
<td>Before <strong>Apr 15, 2025</strong></td>
<td>On/After <strong>Apr 15, 2025</strong></td>
<td>Sectigo Public Server Authentication <strong>CA EV R36 / E36</strong></td>
<td>Sectigo Public Server Authentication <strong>Root R46 / E46</strong> (cross-signed via USERTrust)</td>
<td>Verify chain if issued before date</td>
</tr>
<tr>
<td><strong><a href="https://certera.com/ssl-types/ov-ssl">OV SSL</a></strong></td>
<td>Before <strong>May 15, 2025</strong></td>
<td>On/After <strong>May 15, 2025</strong></td>
<td>Sectigo Public Server Authentication <strong>CA OV R36 / E36</strong></td>
<td>Sectigo Public Server Authentication <strong>Root R46 / E46</strong> (cross-signed via USERTrust)</td>
<td>Update on renewal or reissue</td>
</tr>
<tr>
<td><strong><a href="https://certera.com/ssl-types/dv-ssl">DV SSL</a></strong></td>
<td>Before <strong>June 2, 2025</strong></td>
<td>On/After <strong>June 2, 2025</strong></td>
<td>Sectigo Public Server Authentication <strong>CA DV R36 / E36</strong></td>
<td>Sectigo Public Server Authentication <strong>Root R46 / E46</strong> (cross-signed via USERTrust)</td>
<td>Check older certs immediately</td>
</tr>
<tr>
<td><strong><a href="https://certera.com/smime/digicert-smime-email-certificate">S/MIME (Email)</a></strong></td>
<td>Before <strong>Mar 1, 2025</strong></td>
<td>On/After <strong>Mar 1, 2025</strong></td>
<td>Sectigo Public Email Protection <strong>CA R36</strong></td>
<td>Sectigo Public Email Protection <strong>Root R46 / E46</strong></td>
<td>Update trust stores</td>
</tr>
<tr>
<td><strong><a href="https://certera.com/code-signing">Code Signing (OV & EV)</a></strong></td>
<td>Early 2025 (legacy roots)</td>
<td>2025 onward (phased)</td>
<td> Sectigo Public Code Signing <strong>CA R36</strong></td>
<td>Sectigo Public Code Signing <strong>Root R46</strong> (USERTrust cross-signed)</td>
<td>Mandatory for future signing</td>
</tr>
</tbody>
</table>
</figure><p><strong>Recommended: </strong><a href="https://www.sectigo.com/knowledge-base/detail/Access-New-Sectigo-Certificate-Chain">Access New Sectigo Public Certificate Chain Here</a></p><h2>How to Set Up the New Sectigo Certificate Chain</h2><p>The following steps are to be taken when installing or renewing your Sectigo SSL certificate to prevent a problem of trust.</p><ul>
<li><strong>Install the entire certificate package:</strong> Use the folder of the SSL certificate as it was on your Sectigo account or email. Minimise the downloading of files.</li>
<li><strong>Install your domain (leaf) certificate:</strong> It is the certificate that is issued to your domain (such as yourdomaincom.crt). Install it on your server as the main certificate for SSL.</li>
<li><strong>Install the intermediate certificates:</strong> Install the appropriate intermediate CA depending on the type of certificate that you have (DV, OV, or EV – R36 or E36). Such certificates associate your domain with the public root of Sectigo.</li>
<li><strong>Install the cross-signed root certificate</strong>: Install the cross-signed root, which is chained on the legacy USERTrust root. This will make it compatible with older systems and operating systems.</li>
<li><strong>Install CA bundle:</strong> In case your server supports a CA bundle, it is better to install the <strong>MyCA_Bundle.ca-bundle file</strong> rather than installing the separate certificates to prevent ordering problems.</li>
<li><strong>Check the complete certificate chain:</strong> Once you have installed the certificate, test the chain using an <a href="https://certera.com/ssl-tools/ssl-checker">SSL checker</a> to ensure that the chain is complete and is relied upon by the browsers.</li>
</ul><h2>Disable or Delete Untrusted Root from Microsoft Trust Store (Recommended)</h2><p>If older devices fail to trust your certificate on a Windows server, Windows may select the <strong>self-signed Sectigo root</strong> instead of <strong>the USERTrust cross-signed root.</strong> </p><p><strong>To fix this: </strong></p><ul>
<li>Log in to the server as an administrator and open <strong>Microsoft Management Console (mmc).</strong> </li>
</ul><ul>
<li>Add the <strong>Certificates</strong> snap-in for the <strong>Local Computer.</strong> </li>
</ul><ul>
<li>In <strong>Trusted Root Certification Authorities</strong>, locate the certificate: </li>
</ul><ul>
<li><strong>Issued to:</strong> Sectigo Public Server Authentication Root R46 (or E46) </li>
</ul><ul>
<li><strong>Issued by:</strong> Sectigo Public Server Authentication Root R46 (or E46) </li>
</ul><ul>
<li>Disable or delete this certificate <strong>only if</strong> the Issued to and Issued by values are the same. </li>
</ul><ul>
<li>Keep the <strong>USERTrust-issued cross-signed root</strong> enabled. </li>
</ul><p>This step is required <strong>only when trust issues occur on Windows systems.</strong> Do not remove root certificates unless the problem is confirmed. </p><h2>Best Practices to Avoid Downtime</h2><p>Most <a href="https://certera.com/blog/what-are-certificate-outages-how-to-avoid-ssl-certificate-outages-with-acme/">certificate outages</a> happen because of small setup mistakes, not hacking.</p><p><strong>To avoid issues:</strong></p><ul>
<li>Install every certificate you’re given. Missing even one breaks the trust chain.</li>
<li>Use the CA bundle if your server supports it. It reduces mistakes.</li>
<li>Don’t pin roots or intermediates. When certificates change, pinned setups fail.</li>
<li>Keep trust stores updated on servers, containers, and apps.</li>
</ul><p>SSL certificates aren’t one-time setup items. If you don’t maintain them, browsers will eventually stop trusting them.</p><h2>Conclusion</h2><p>The Sectigo Public Root and Intermediate CA migration isn’t a future problem. It’s a present responsibility.</p><p>The changes are already in motion, browsers are already enforcing new trust rules, and the deadline is fixed. Teams that prepare now will transition quietly without impact. Teams that wait will discover the change only when users start seeing warnings.</p><p>Audit your certificate chains. Install the full trust path. Move to the new public roots with confidence.</p><p>Because when it comes to certificate trust, being proactive is the only safe option. Don’t hesitate to <a href="https://certera.com/support">contact our SSL Experts</a> for any query!</p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/01/sectigo-new-public-roots-and-issuing-cas-hierarchy-2025-migration-guide/" data-a2a-title="Sectigo New Public Roots and Issuing CAs Hierarchy [2025 Migration Guide]"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F01%2Fsectigo-new-public-roots-and-issuing-cas-hierarchy-2025-migration-guide%2F&linkname=Sectigo%20New%20Public%20Roots%20and%20Issuing%20CAs%20Hierarchy%20%5B2025%20Migration%20Guide%5D" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F01%2Fsectigo-new-public-roots-and-issuing-cas-hierarchy-2025-migration-guide%2F&linkname=Sectigo%20New%20Public%20Roots%20and%20Issuing%20CAs%20Hierarchy%20%5B2025%20Migration%20Guide%5D" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F01%2Fsectigo-new-public-roots-and-issuing-cas-hierarchy-2025-migration-guide%2F&linkname=Sectigo%20New%20Public%20Roots%20and%20Issuing%20CAs%20Hierarchy%20%5B2025%20Migration%20Guide%5D" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F01%2Fsectigo-new-public-roots-and-issuing-cas-hierarchy-2025-migration-guide%2F&linkname=Sectigo%20New%20Public%20Roots%20and%20Issuing%20CAs%20Hierarchy%20%5B2025%20Migration%20Guide%5D" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F01%2Fsectigo-new-public-roots-and-issuing-cas-hierarchy-2025-migration-guide%2F&linkname=Sectigo%20New%20Public%20Roots%20and%20Issuing%20CAs%20Hierarchy%20%5B2025%20Migration%20Guide%5D" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div><p class="syndicated-attribution">*** This is a Security Bloggers Network syndicated blog from <a href="https://certera.com/blog/">EncryptedFence by Certera – Web &amp; Cyber Security Blog</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by Janki Mehta">Janki Mehta</a>. Read the original post at: <a href="https://certera.com/blog/sectigo-new-public-roots-and-issuing-cas-hierarchy-2025-migration-guide/">https://certera.com/blog/sectigo-new-public-roots-and-issuing-cas-hierarchy-2025-migration-guide/</a> </p>
