Who is affected by the AddTrust External CA expiration?
Most website users will not be affected by the expiration of the AddTrust External CA root. The AddTrust cross-signing was originally done to account for older devices that did not include the USERTrust root. If the USERTrust root is present (as it is in 100% of modern browsers, operating systems, and mobile devices), the software will simply choose a trust path that leads to USERTrust and ignores AddTrust. Due to the USERTrust root’s ubiquity, the AddTrust expiration affects only a very small number of legacy devices.
If you have been issued an affected certificate by SSL.com, you should receive an email message alerting you and indicating steps you can take to maintain compatibility with these few legacy devices. If you already know you have been issued a certificate with the AddTrust cross signing, replacement intermediate and root certificates are available below:
Download and install replacement intermediate and root certificates
For continued support of legacy devices that are affected by the AddTrust expiration, Sectigo offers a cross signing with its AAA root, which is valid until 2028. Replacement intermediate and root certificates are available as individual certificates or a single bundled file by clicking the buttons below:
For help with installation, please refer to your provider’s documentation or one of SSL.com’s certificate installation how-tos.
Affected client software
Some older SSL/TLS clients, including OpenSSL 1.0.x and GnuTLS are affected by the expiry of the AddTrust External CA Root. Users relying on these clients should remove the expired AddTrust certificate from their OS root store. Links with fixes for Ubuntu and Red Hat Linux are listed below: