AddTrust External CA Root Expired May 30, 2020

Some certificates issued by in the past chain to Sectigo’s USERTrust RSA CA root certificate via an intermediate that is cross-signed by an older root, AddTrust External CA. The AddTrust root expired on May 30, 2020, and some of our customers have been wondering if they or their users will be affected by the change.

Who is affected by the AddTrust External CA expiration?

Most website users will not be affected by the expiration of the AddTrust External CA root. The AddTrust cross-signing was originally done to account for older devices that did not include the USERTrust root. If the USERTrust root is present (as it is in 100% of modern browsers, operating systems, and mobile devices), the software will simply choose a trust path that leads to USERTrust and ignores AddTrust. Due to the USERTrust root’s ubiquity, the AddTrust expiration affects only a very small number of legacy devices.

Need a certificate? has you covered. Compare options here to find the right choice for you, from S/MIME and code signing certificates and more.


If you have been issued an affected certificate by, you should receive an email message alerting you and indicating steps you can take to maintain compatibility with these few legacy devices. If you already know you have been issued a certificate with the AddTrust cross signing, replacement intermediate and root certificates are available below:

Download and install replacement intermediate and root certificates

For continued support of legacy devices that are affected by the AddTrust expiration, Sectigo offers a cross signing with its AAA root, which is valid until 2028. Replacement intermediate and root certificates are available as individual certificates or a single bundled file by clicking the buttons below:



For help with installation, please refer to your provider’s documentation or one of’s certificate installation how-tos.

Affected client software

Some older SSL/TLS clients, including OpenSSL 1.0.x and GnuTLS are affected by the expiry of the AddTrust External CA Root. Users relying on these clients should remove the expired AddTrust certificate from their OS root store. Links with fixes for Ubuntu and Red Hat Linux are listed below:

Thank you for choosing! If you have any questions, please contact us by email at, call 1-877-SSL-SECURE, or just click the chat link at the bottom right of this page. You can also find answers to many common support questions in our knowledgebase.

Subscribe to’s Newsletter

Don’t miss new articles and updates from

We’d love your feedback

Take our survey and let us know your thoughts on your recent purchase.