What are Sectigo Public Root CAs?

Sectigo Public Root CAs (Certificate Authorities) are foundational elements in ensuring that digital certificates are trusted across the web. They are now incorporated into the major root stores (Mozilla, Microsoft, Apple, Google/Chrome). This means your Sectigo certificates will enjoy enhanced security and trust on all modern platforms, ensuring that your websites, email communications, and other digital transactions remain secure.

Why the migration to new Public Root CAs?

The migration to Sectigo’s new Public Root CAs is a proactive step to ensure our certificates remain highly secure, trusted, and compliant with modern industry standards. By incorporating the new roots into major root stores (Mozilla, Microsoft, Apple, Google/Chrome), Sectigo is securing the future reliability of your certificates. This change also aligns with evolving security requirements, following industry standards and requirements set by root stores and the CA/Browser Forum, ensuring that both we and your organization stays ahead of potential threats while maintaining trust across all platforms and devices.

Table of Contents

1 What are Sectigo Public Root CAs?
2 Why the migration to new Public Root CAs?
- 2.1 How do I prepare?
- 2.2 Will this affect my existing certificates?
3 Root and Subordinate CA Certificates
4 Additional Information

How do I prepare?

Update used certificates: If you have hard-coded specific Root CAs and/or Subordinate CAs within your implementation tools, please make sure these are updated to install the appropriate CA certificates. See the list below, and replace the Sectigo Public Root CA on or after the date listed.
Update your systems: Review your certificate profiles and ensure everything is ready to accept certificates from the new Sectigo Public Roots.

Regarding University of Texas at Austin Services
The following services will have their public root CA certificates updated on the dates listed below:

Application Delivery Controller (F5 Load Balancing) - May 15th, 2025, the OV Public Root CA will be updated. At this time, this service only hosts OV certificates, no EV or DV certificates are being used.

Additional services will be listed soon!

Will this affect my existing certificates?

NO, your existing certificates will remain valid until they expire. The change only applies to certificates issued after the migration dates mentioned above.

This compatibility is ensured through cross-signing. CAs often control multiple root certificates, and generally the older the root the more widely distributed it is on older platforms. In order to take advantage of this fact, CAs generate cross certificates to ensure that their certificates are as widely supported as possible. A cross certificate is where one root certificate is used to sign another. The cross certificate uses the same public key and Subject as the root being signed.

If you hold a multi-year subscription certificate, a reissues occurs after migration dates mentioned. Sectigo will supply the new Public Root CAs with your end entity certificate.

Root and Subordinate CA Certificates

S/MIME (email signing) Certificates This is automatic, and part of the email signing certificate process and portal. If you handle any email signing certificates manually, please ensure you are using the latest root certificates from below.

S/MIME (email signing) Certificates

This is automatic, and part of the email signing certificate process and portal. If you handle any email signing certificates manually, please ensure you are using the latest root certificates from below.

Current (SHOULD NOT BE USED after 3/1/2025)

After March 1st, 2025

For RSA based keys:

Root CA: USERTrust RSA Certification Authority (https://crt.sh/?d=1199354)
Subordinate CA: Sectigo RSA Client Authentication and Secure Email CA (https://crt.sh/?d=924467858)

For RSA based keys:

Root CA: Sectigo Public Email Protection Root R46 (https://crt.sh/?d=4256644602)
Subordinate CA: Sectigo Public Email Protection CA R36 (https://crt.sh/?d=4267304694)

For ECC based keys:

Root CA: USERTrust ECC Certification Authority (https://crt.sh/?d=2841410)
Subordinate CA: Sectigo ECC Client Authentication and Secure Email CA (https://crt.sh/?d=924467856)

For ECC based keys:

Root CA: Sectigo Public Email Protection Root E46 (https://crt.sh/?d=4256644601)
Subordinate CA: Sectigo Public Email Protection CA E36 (https://crt.sh/?d=4267304699)

Extended Validation (EV) TLS Certificates

Extended Validation (EV) TLS Certificates

Current (SHOULD NOT BE USED after 4/15/2025)

After April 15th, 2025

For RSA based keys:

Root CA: USERTrust RSA Certification Authority (https://crt.sh/?d=1199354)
Subordinate CA: Sectigo RSA Extended Validation Secure Server CA (https://crt.sh/?d=924467854)

For RSA based keys:

Root CA: Sectigo Public Server Authentication Root R46 (https://crt.sh/?d=4256644734)
Subordinate CA: Sectigo Public Server Authentication CA EV R36 (https://crt.sh/?d=4267304687)

For ECC based keys:

Root CA: USERTrust ECC Certification Authority (https://crt.sh/?d=2841410)
Subordinate CA: Sectigo ECC Extended Validation Secure Server CA (https://crt.sh/?d=924467862)

For ECC based keys:

Root CA: Sectigo Public Server Authentication Root E46 (https://crt.sh/?d=4256644603)
Subordinate CA: Sectigo Public Server Authentication CA EV E36 (https://crt.sh/?d=4267304692)

Organization Validation (OV) TLS Certificates

Organization Validation (OV) TLS Certificates

Current (SHOULD NOT BE USED after 5/15/2025)

After May 15th, 2025

For RSA based keys:

Root CA: USERTrust RSA Certification Authority (https://crt.sh/?d=1199354)
Subordinate CA: Sectigo RSA Organization Validation Secure Server CA (https://crt.sh/?d=924467857)

For RSA based keys:

Root CA: Sectigo Public Server Authentication Root R46 (https://crt.sh/?d=4256644734)
Subordinate CA: Sectigo Public Server Authentication CA OV R36 (https://crt.sh/?d=4267304698)

For ECC based keys:

Root CA: USERTrust ECC Certification Authority (https://crt.sh/?d=2841410)
Subordinate CA: Sectigo ECC Organization Validation Secure Server CA (https://crt.sh/?d=924467859)

For ECC based keys:

Root CA: Sectigo Public Server Authentication Root E46 (https://crt.sh/?d=4256644603)
Subordinate CA: Sectigo Public Server Authentication CA OV E36 (https://crt.sh/?d=4267304689)

Domain Validation (DV) TLS Certificates

Domain Validation (DV) TLS Certificates

Current (SHOULD NOT BE USED after 6/2/2025)

After June 2nd, 2025

For RSA based keys:

Root CA: USERTrust RSA Certification Authority (https://crt.sh/?d=1199354)
Subordinate CA: Sectigo RSA Domain Validation Secure Server CA (https://crt.sh/?d=924467861)

For RSA based keys:

Root CA: Sectigo Public Server Authentication Root R46 (https://crt.sh/?d=4256644734)
Subordinate CA: Sectigo Public Server Authentication CA DV R36 (https://crt.sh/?d=4267304690)

For ECC based keys:

Root CA: USERTrust ECC Certification Authority (https://crt.sh/?d=2841410)
Subordinate CA: Sectigo ECC Domain Validation Secure Server CA (https://crt.sh/?d=924467852)

For ECC based keys:

Root CA: Sectigo Public Server Authentication Root E46 (https://crt.sh/?d=4256644603)
Subordinate CA: Sectigo Public Server Authentication CA DV E36 (https://crt.sh/?d=4267304693)

Additional Information

Background information: https://www.sectigo.com/sectigo-public-root-cas-migration
The various certificates used in web site security: Knowledge Base

(DC) Sectigo Public Root CAs Migration (2025)

What are Sectigo Public Root CAs?

Why the migration to new Public Root CAs?

How do I prepare?

Will this affect my existing certificates?

Root and Subordinate CA Certificates

Additional Information