{"id":4217,"date":"2026-01-09T07:04:42","date_gmt":"2026-01-09T07:04:42","guid":{"rendered":"https:\/\/cheapsslweb.com\/blog\/?p=4217"},"modified":"2026-01-09T10:41:48","modified_gmt":"2026-01-09T10:41:48","slug":"sectigo-public-root-ca-migration-2025-what-ssl-users-must-know","status":"publish","type":"post","link":"https:\/\/cheapsslweb.com\/blog\/sectigo-public-root-ca-migration-2025-what-ssl-users-must-know\/","title":{"rendered":"Sectigo Public Root CA Migration: What SSL Users Must Know"},"content":{"rendered":"\n

Sectigo executed a significant migration of Public Root and Intermediate CAs from 2025 up to the beginning of 2026.<\/p>\n\n\n\n

This alteration has an impact on the issuance of TLS\/SSL<\/a> and S\/MIME certificates<\/a>, as well as their installation process.<\/p>\n\n\n\n

This article discusses the reasons behind the change, the specific changes made, and the steps for a secure migration.<\/p>\n\n\n\n

What Are Public Root CAs?<\/h2>\n\n\n\n

Public Root Certificate Authorities are the topmost tier of trust in the digital certificate ecosystem. Root certificates that are included in the trusted stores of operating systems, browsers, and email clients allow them to automatically verify SSL\/TLS and S\/MIME certificates.<\/p>\n\n\n\n

If a certificate connects back to a trusted public root CA<\/a>, the users are able to create secure connections and have encrypted communications without any warnings or need for manual intervention.<\/p>\n\n\n\n

Also Read:<\/strong> What is SSL Certificate Chain in PKI? How Does It Work?<\/a><\/p>\n\n\n\n

Why Sectigo Introduced New Public Roots<\/h2>\n\n\n\n
\n

Sectigo brought up new Public Root CAs as a means to strengthen the security in the long run and to keep up with the ever-changing requirements of the browsers and industry. The older roots were created years back and are getting to the point where modern cryptography and compliance expectations can no longer be met.<\/p>\n<\/blockquote>\n\n\n\n

New single-purpose roots for both TLS and S\/MIME will allow Sectigo to enhance its cryptographic agility, manage trusts more easily, and guarantee acceptance everywhere in the root programs.<\/p>\n\n\n\n

What has been modified in the Sectigo Ecosystem<\/h2>\n\n\n\n

Transition from Traditional to Contemporary Sectigo Foundations<\/h3>\n\n\n\n

In the past, a majority of Sectigo certificates were linked to the long-existing USERTrust and AAA root certificates. After the migration, certificates being issued are linked to present-day Sectigo Public Roots, including the Server Authentication and Email Protection roots (R46 and E46).<\/p>\n\n\n\n

Trusting these roots means that browsers and operating systems will support Sectigo’s discontinuing the use of legacy roots for new issuances, but all the same maintaining the trust between users and the issuer.<\/p>\n\n\n\n

New Intermediaries<\/h3>\n\n\n\n

Now, new intermediates at the level of authorities have been introduced, namely the R36 (RSA) and E36 (ECC) series. These intermediates are designated for specific purposes that distinguish the different scenarios, such as Domain Validation<\/a>, Organization Validation<\/a>, Extended Validation<\/a>, and Email Signing<\/a>.<\/p>\n\n\n\n

In this way, there is a certain predictability in routine, a clean certificate chain, thus making it easier to manage, audit, and eventually rotate the certificates.<\/p>\n\n\n\n

Cross-Signing for Backward Compatibility<\/h3>\n\n\n\n

To stop the trust loss for the older devices and systems, Sectigo cross-signed its new Public Root CAs with existing trusted roots such as USERTrust.<\/p>\n\n\n\n

With cross-signing, the new root certificate via the older and more trusted root has the validation done, which means compatibility with legacy devices, older operating systems, and outdated applications. This solution allows for co-existing with the past while being at the forefront of technology.<\/p>\n\n\n\n

Migration Timelines<\/h2>\n\n\n\n

The following are the important timelines related to migration.<\/p>\n\n\n\n

\n

Starting from the 1st of January, 2026, no SSL reissues<\/a> under old root chains, no fallback to USERTrust-only chains, only R46\/E46 roots and R36\/E36 intermediates will be allowed.<\/p>\n<\/blockquote>\n\n\n\n

Certificate Type<\/strong><\/td>Migration Date<\/strong><\/td><\/tr>
S\/MIME<\/td>March 1, 2025<\/td><\/tr>
EV TLS<\/td>April 15, 2025<\/td><\/tr>
OV TLS<\/td>May 15, 2025<\/td><\/tr>
DV TLS<\/td>June 2, 2025<\/td><\/tr>
Enforcement Deadline<\/td>January 1, 2026<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

What Changed in Certificate Installation<\/h2>\n\n\n\n

Full CA Bundle Is Now Mandatory<\/h3>\n\n\n\n
\"Sectigo<\/figure>\n\n\n\n

Sectigo has altered its policy and is now offering the whole bundle of certificates together with the CA as a default. This huge lot consists of the intermediate certificate<\/a>, the cross-signed root certificate, and the old USERTrust root, if that is the case.<\/p>\n\n\n\n

When the whole bundle is installed, clients are able to be the ones who create the trust path correctly and automatically, especially in the case of the older devices and OS that still verify through cross-signed chains.<\/p>\n\n\n\n

RSA and ECC Awareness<\/h3>\n\n\n\n
\"Sectigo<\/figure>\n\n\n\n

Sectigo continues to support the use of both RSA and ECC cryptographic algorithms<\/a>, with RSA being the most widely used for the majority of certificates. On the other hand, many modern servers and balancers generate automatic ECC certificates during TLS handshakes<\/a>.<\/p>\n\n\n\n

\"Sectigo<\/figure>\n\n\n\n

In order to prevent the occasional trust or handshake problems, the administrators should make sure that the right RSA and ECC intermediates and roots are installed for their environment and use case.<\/p>\n\n\n\n

Also Read:<\/strong> Root Certificates vs. Intermediate Certificates<\/a><\/p>\n\n\n\n

Migration Steps<\/h2>\n\n\n\n

Step 1: Audit Your Environment<\/h3>\n\n\n\n