What is a cross-signed root certificate?A cross-signed root certificate is a digital certificate issued by one Certificate Authority (CA) that is used to establish trust in another CA’s root certificate. This mechanism is commonly used in the context of Public Key Infrastructure (PKI) to bridge trust between different CAs. Cross-signing allows the CA to leverage the trust already established in one of its root certificates to extend trust to another root certificate it controls. As a result, clients and systems that trust the first CA’s root certificate can also trust the second CA’s root certificate because it has been cross-signed by the first CA. This helps maintain compatibility with older systems and ensures a broader level of trust across different CAs in a PKI ecosystem. The SSL.com cross-signed certificate will expire on September 11th, 2023. This certificate was created by Asseco Data Systems (Certum) to cross-sign the SSL.com Root that was created in 2016. SSL.com Root Certificates sign our intermediate certificates, which are then used to sign our domain validated certificates.
Why will SSL.com’s cross-signed root certificate expire on September 11, 2023?Expiring cross-certificates is a normal event in the lifecycle of a Root CA and does not affect Subscribers or Relying Parties that are using secure and updated devices or generally devices over the last 7-8 years. Such devices come shipped with a default Trusted Root Store that includes SSL.com Roots by default. The expiration of the cross-signing certificate also shortens the chain of trust or PKI hierarchy, thereby improving performance of SSL/TLS certificates issued by SSL.com.
Will SSL/TLS certificates issued before September 11, 2023 continue to be trusted?Yes. The expiring cross-signed root certificate should not impact your clients as the SSL.com 2016 self-signed Root certificate has gained ubiquity and is trusted by all major browsers and certificate stores. The normal X.509 certificate path building process would ignore the expiring certificate in the certificate bundle and look for a valid chain all the way up to the SSL.com Trusted Root. The SSL.com self-signed root certificates that your certificates chain to do not expire until 2041.
Is it necessary to reissue or reinstall SSL/TLS certificates that were issued before September 11, 2023?In most cases, no. Your certificate will remain valid until the date that it is set to expire. Despite the expiring cross-signed certificate, trust stores will, most of the time, automatically update and older certificates will find the new correct path automatically without being reissued. In some platforms, especially older ones, you might have to do any or all of the following: restart your web server, manually remove the expired cross-signed certificate from the trust store, reinstall the SSL.com intermediate and self-signed root certificates, and/or reprocess your certificate. Instructions to each of these remedies are located in the section below: Updating Certificate Chain.
Where can I download the SSL.com self-signed Root Certificate and Intermediate Certificates?Our self-signed root and intermediate certificates can be downloaded from your certificate order page where you also downloaded your SSL/TLS certificate.
Additionally, you can also download them from this page: Install SSL.com CA Root Certificates.
Updating Certificate Chain
- On the Windows certificate store, you can remove the expired cross-signed certificate by following these steps:
- Launch Microsoft Management Console (MMC)
- Click File on the top menu and select Add/Remove Snap-in…
- Click Certificates from the Available snap-ins.
- Select Computer account and then click the Next > button.
- Click the Finish button.
- Click the OK button.
- Right-click Certificates (Local Computer) and select Find Certificates…
- On the field for Contains, type Certum
- Click the Find Now button.
- Right-click the SSL.com cross-signed Root Certificate which was issued by Certum Trusted Network CA, and which expired on 9/11/2023.
- Click Delete.
- If your current SSL/TLS certificate still does not find the correct path after removing the expired cross-signed root certificate from the trust store, restart your web server and see if that resolves the issue.
- Redownload and reinstall the intermediate certificates, and the SSL.com self-signed root certificate. Please refer to this guide article which shows how to install these certificates in popular web servers: How Do I Install a Certificate?
- Reprocess your certificate to obtain a new issuance. Please refer to this guide article which shows how to reprocess your certificate: Reprocess a certificate. After reprocessing, download and install your new certificate, the intermediate certificates, and the SSL.com self-signed root certificate.