SSL.com is moving TLS certificate issuance from our 2016 roots to new 2022 roots. Here’s what the migration means for your certificates and systems, especially if you use Client Authentication in SSL/TLS certificates.
What This Means for You
For most SSL customers, this migration is seamless. If your TLS certificates are used for standard HTTPS web server authentication, your certificates will continue to work exactly as expected after issuance moves to the 2022 roots.
If your systems depend on the ClientAuth EKU in your TLS certificates, you have a decision to make and several options to consider:
- Have systems pinned to the 2016 roots, but need Chrome trust? This is the most complex scenario, requiring immediate attention. Our PKI solutions experts can work with you and/or your team to map out a practical path forward for your environment.
- Switch to our Client Certificate product. For client authentication, use dedicated client certificates. These are built for this use and not affected by Google Chrome’s server authentication requirements.
- Stay on the 2016 roots if Chrome trust isn’t a concern. If you don’t need Chrome browser trust, you may remain on the 2016 roots for now, but browser trust will narrow over time, so action will be needed in the near future.
- Use cross-certificates for backward compatibility. If your organization needs trust that chains back to the 2016 roots while also moving forward, cross-certificates can bridge that gap. This is a great option for teams with systems that have dependencies on the older root hierarchy.
Why This Is Happening
Roots Age Out
Root certificates are the anchors of digital trust. Browsers and operating systems maintain lists of roots they recognize as trustworthy, and every certificate you issue traces back to one of them. However, older roots carry more risk over time.
Roots that have been in circulation for years have seen increased exposure, more opportunities for cryptographic vulnerabilities to emerge, and a vast potential for misuse. That’s a big part of why the industry has been steadily shortening certificate lifespans and pushing certificate authorities to modernize their trust hierarchies. Browsers increasingly favor newer, well-governed roots. Migrating to our 2022 roots keeps SSL aligned with where the industry is heading and keeps your certificates trusted by modern browsers.
The Chrome Factor
Chrome’s Root Program is mandating that public TLS certificates include only the Server Authentication Extended Key Usage (EKU). For years, it’s been common practice to issue TLS certificates that also include the ClientAuth EKU, thereby allowing a single certificate to handle both server and client authentication. Chrome has determined that this dual use was never the intended purpose of a public TLS certificate and is phasing it out.
Because our 2016 roots were used to issue certificates that could include ClientAuth EKU, SSL is removing those roots from public trust stores and transitioning issuance to our 2022 roots. Certificates issued from the 2022 roots will carry Server Authentication only, in full alignment with Chrome’s requirements.
We’re Here to Help
Whether you need to migrate to a client certificate product, explore cross-certificate options, or build a transition plan around your existing infrastructure, SSL’s PKI experts are ready to help you find the right solution for your organization.
If you’re unsure how this change affects your certificate deployments, or if you need help evaluating your options, contact our team today to discuss your specific needs or to get immediate assistance with your migration strategy.
