New ROOT Certificates
Certification Authorities are responding to new requirements and policies from Mozilla and Google and are deploying new Root certificates to comply with them and to ensure their certificates are trusted in browsers. These changes also meet evolving security requirements and follow industry standards and rules set by the CA/Browser Forum for Root certificates.
If you are using up-to-date operating systems and browsers, and your customers/website visitors are too, you will most likely not notice any changes.
For older or outdated systems (e.g. older versions of Android < ver. 14), it is necessary to install so-called cross-certificates on the server to ensure uninterrupted and proper functioning of SSL certificates, including S/MIME certificates.
The cross-certificate is placed at the end of the ROOT certificate hierarchy during installation in the so-called certificate chain (intermediate certificates), which is installed on the server together with the issued certificate.
Table of Contents
- CA DigiCert (Thawte, GeoTrust and RapidSSL)
- CA Certum
- CA Sectigo (PositiveSSL)
- FAQ
- Installation of cross-certificates on IIS
CA DigiCert (Thawte, GeoTrust, RapidSSL)
The Certification Authority DigiCert started migration of its second-generation (G2) Root certificates already in 2023. Information about the changes is published on the page DigiCert root and intermediate CA certificate updates 2023.
CA Certum
CA Certum introduced new Root certificates in compliance with Mozilla and Google policies on September 15, 2025. It is important to know that certificates with RSA or elliptic curves (ECC) are distinguished. More information is published by CA Certum on the page Certum implements new Root CAs
CA Sectigo
CA Sectigo started migration of Public Root CAs in 2025, specifically in April (EV), May (OV) and June (DV certificates, PositiveSSL certificates). More information is published on the page Sectigo KB - Public Root CAs Migration
PositiveSSL certificates
In order for these popular SSL certificates to be trusted also in older versions of OS and browsers, it is necessary to add the USERTrust cross-certificate to the Root certificates. If you do not have the complete CA Bundle file, you can download it here.
Intermediate certificates in the file cabundle-positivessl.txt (download):
---
CN: Sectigo Public Server Authentication CA DV R36
Valid until: March 21, 2036
---
CN: Sectigo Public Server Authentication Root R46
Valid until: January 18, 2038
---
CN: USERTrust RSA Certification Authority
Valid until: January 18, 2038
---
FAQ
Why are these changes necessary?
These changes are essential to ensure the security and trustworthiness of SSL/TLS certificates in accordance with current security standards and requirements. Older Root certificates may have weaker security or may not meet new requirements, which can lead to compatibility and trust issues with certificates.
What is recommended to do
- Discontinue Certificate Pinning if used
- Update the certificates in use
- Update your systems
What is cross-signing?
Certification Authorities often manage multiple Root certificates and generally the older the ROOT, the wider its distribution on older platforms. To take advantage of this, they generate cross-certificates to ensure the widest possible support of their certificates. Cross-certificate means that one Root certificate signs another Root certificate.
More information: Sectigo KB - What is Cross-Signing?
Where to find more information
- Google Chrome: Google Chrome Root Program Policy
- Microsoft: Microsoft Trusted Root Program
- Mozilla: Mozilla Root Store Policy
- CA/B Forum: cabforum.org
Installation of new Root certificates in Windows systems (IIS)
New ROOT certificates are regularly added to Windows Update, but if you want to be sure they are installed, you can download and install them manually. However, sometimes a problem may occur with website certificates that have multiple trusted certification paths to Root Certification Authorities. The website certificate then appears untrusted to visitors with older systems, which is caused by a missing cross-certificate that IIS does not publish correctly.
Solution for IIS administrators is here: Certificate validation fails when a certificate has multiple trusted certification paths to root CAs.
Where to next?
Back to Help
Found an error or don't understand something? Write us!
