Knowledge Base

Categories: Security

AddTrust Root Expiration: Network Solutions® Customer Guide

Important: This article applies to Network Solutions® customers only.

The AddTrust External CA Root certificate expired on May 30, 2020. If you're a Network Solutions® customer, you could be impacted if your older devices and systems use it for SSL/TLS. Here's what you should do to keep your website or application safe and working without issues.

We will discuss the following:

AddTrust Root Expiration – What You Need to Know
What Is a Root Certificate?
What Is Cross-Signing?
AddTrust External CA Expiration
Certificate Chain Diagram
FAQs
Review

AddTrust Root Expiration – What You Need to Know

To improve compatibility with older systems and devices, Network Solutions may now cross-sign certificates using the AddTrust legacy root. This root expired at the end of May 2020. Applications or installations that depend on the cross-signed root may encounter issues or outages if that point hasn't updated them.

In most cases, the standard root provides all client support. We offer a new cross-signing option with its AAA root for unique circumstances, and it is good until 2028. This article details the AddTrust root expiration, cross-signing, and possible fixes after that date.

What Is a Root Certificate?

Root certificates have the same "Issuer" and "Subject" attributes, so they are self-signed. They are also trusted because they are part of operating systems' and browsers' default trust stores.

The OS or browser software regularly updates these trust stores as part of security updates. Older, out-of-date platforms were frequently only updated as a component of software updates.

Site certificates are issued through a "chain" of intermediate CAs that link to trusted root certificates.

It is essential to remember that security upgrades are essential now. Other devices may not handle the current internet standards because they haven't been updated with their current roots. An excellent example is Android. Android 2.3 Gingerbread is considered outdated and unsupported, partly because it doesn't support TLS 1.2 or 1.3 and relies on the AddTrust root.

See this article Chain Hierarchy and Intermediate Roots, for more information.

What Is Cross-Signing?

Certificate Authorities (CAs) manage different root certificates; on legacy systems, the older roots are often used more extensively. To extend trust and recognition, CAs issue cross-certificates. A cross-certificate occurs when two root certificates share the same public key and subject and are signed accordingly.

For example, a cross certificate could be:

Subject: COMODO RSA Certification Authority

Issuer: AddTrust External CA Root

https://crt.sh/?id=1044348

It uses the same subject and public key as the self-signed COMODO root certificate.

Browsers and clients will return to the "best" root certificate they trust.

AddTrust External CA Expiration

We control a root certificate called the AddTrust External CA Root, which is used to create cross-certificates for our modern root certificates, the COMODO RSA Certification Authority, and the USERTrust RSA Certification Authority. These roots don't expire until 2038.

However, the AddTrust External CA Root expired on May 30, 2020.

After this date, clients and browsers will revert to the more current origins of the previous AddTrust cross-signing system. Platforms and devices that have received the most recent upgrades will not show any issues.

Certificate Chain Diagram

Diagram

An outdated device or legacy browser lacking the current "USERTrust" root would not trust it and would search further up the chain for the AddTrust External CA Root, a root it trusts. Instead of depending on the outdated AddTrust root, a more recent browser would have the USERTrust root installed and trust it.

What You Need to Do

If you have issued certificates cross-chained to the AddTrust root, there's usually no need to take action, especially for certificates used on modern clients or servers.

For business operations that depend on older systems, we have included a new legacy root for cross-signing, the "AAA Certificate Services" root, which is available (by default in the certificate bundles) as of April 30, 2020. Nevertheless, you should exercise caution while using outdated legacy technology.

Additionally, systems that lack the updates required to handle more modern roots—like our COMODO root—should be regarded as vulnerable and devoid of other crucial security fixes. To cross-sign the AAA Certificate Services root, please contact us directly.

FAQs

After May 30, 2020, will my certificate still be trusted?

Yes. The more recent, contemporary COMODO and USERTrust roots, valid until 2038, exist in all current clients and operating systems.

You need to update and install the more recent roots on platforms (embedded devices) where the trust stores have been intentionally constrained or cannot be updated. Please ensure the vendor has also installed the required security upgrades on these devices.

Do I need to reissue or reinstall my certificate?

No. You don't need to reissue or reinstall the certificate—it will remain trusted until it naturally expires. You can stop the installation of the cross-certificate on your server. Moreover, if you need a certificate that is compatible with your legacy device, you can replace it with a new one.

Can I confirm that I won't encounter any issues?

Yes. You can test the website by moving your system's clock forward to June 1, 2020, if your certificate is valid through June 2020 and beyond. You can see that the certificate links back to the COMODO or USERTrust root, and errors won't appear in modern browsers. Some browsers, like Google Chrome, may flag your system clock as incorrect and show a warning unrelated to your certificates.

Here are some test sites you can use to evaluate your environment.

These links provide a valid certificate issued by specific chains.
You can use it to test which root certificates clients support.
You can set your system clock to June 2020 to see how clients respond after the AddTrust root and cross-certificates expire.

The current origins are USERTrust RSA/ECC Authority for Certification and COMODO RSA/ECC Certification Authority:

USERTrust RSA Certification - https://crt.sh/?id=1199354
USERTrust ECC Certification - https://crt.sh/?id=2841410
COMODO RSA Certification - https://crt.sh/?id=1720081
COMODO ECC Certification - https://crt.sh/?id=2835394

Click the 'certificates' label on the crt.sh link to download the certificate file.

The following platforms have included these roots since:

Apple:

macOS Sierra 10.12.1 Public Beta 2
iOS 10

Microsoft:

Windows XP (via Automatic Root Update)
Windows Phone 7

Mozilla:

Firefox 3.0.4 (COMODO ECC Certification Authority)
Firefox 36 (the other three roots)

Google:

Android 2.3 (COMODO ECC Certification Authority)
Android 5.1 (the other three roots)

Oracle:

Java JRE 8u51

Opera:

Browser launched in December 2012

360 :

SE 10.1.1550.0
Extreme Browser version 11.0.2031

The lists below are the older versions on which cross-certificates are compatible:

Apple iOS version 3.
Apple macOS version 10.4.
Google Android version 2.3.
Mozilla Firefox version 1.
Oracle Java JRE version 1.5.0 with patch update release of 8.

AAA Certificate Services self-signed root [expiring 2028] - https://crt.sh/?id=331986

AAA Certificate Services - cross-certificates:

USERTrust RSA CA - https://crt.sh/?id=1282303295
USERTrust ECC CA - https://crt.sh/?id=1282303296
Comodo RSA CA - https://crt.sh/?id=2545965608
Comodo ECC CA - https://crt.sh/?id=2545966120

What should I do if my infrastructure or application only trusts AddTrust?

Errors will arise after May 30, 2020, if a system or application only depends on the AddTrust External CA root rather than the more recent Comodo or USERTrust roots.

Important precautions and notes for legacy systems and devices:

You should update such system to include more modern root certificates. If the platform doesn't support newer algorithms like SHA-2, contact the system vendor to discuss possible upgrades.
Customers may need to integrate the new USERTrust Root replacement before the May 2020 expiration date if they have already integrated AddTrust Root into their applications or custom legacy devices.
To enhance backward compatibility, we have created cross-certificates from one of our other, older, legacy roots in addition to the AddTrust root. For further information, contact Support or your Account Manager—the root known as 'AAA Certificate Services' signs the cross-certificate.

Review

This article explains the AddTrust Root expiration in May 2020 and its effect on SSL trust. It uses SEO-friendly phrases like "SSL trust" and "certificate chains" to discuss important subjects like root certificates, cross-signing, and legacy system support.

Did you find this article helpful?

Please leave us some feedback so we can improve this article.

* Your feedback is too short