Comodo SSL certificates are now branded Sectigo, but there is more to it than that…
It was originally announced that the transition from Comodo to Sectigo SSL certificates would only involve a change of name and logo. However, it now turns out that there has also been a change in the root structure, which is causing problems for some customers. So, here is a news update...
A change in the root structure
In our article entitled “The brand of your SSL certificate undergoes a name change: Comodo is now Sectigo”, we announced that this process would involve a purely external change in the name and logo to be used for the SSL certificate. Based on the information available at the time, we stated that the root itself would not undergo any changes.
Meanwhile, it appeared that the root structure has actually undergone some changes, as have intermediate certificates. From now on, the Comodo Root CA will be replaced by the USERTrust Root CA, which has been in existence since 2010 and is also supported by most browsers.
With older operating systems or clients, however, there may be a problem, as they do not recognise the certificate. As a result, the user will get an error message in his browser. Because of this, he will not trust the site, and leave it, which means you will miss the sale of a product or service...
The problem has been identified in these devices/browsers
The RSA USERTrust certificate is not supported by devices running MacOS 10.11 or earlier. Other devices running an outdated operating system, such as an older version of Android, can also generate an error message when the visitor lands on a website where the new Sectigo certificate has been installed.
This also applies to outdated clients or software.
Here is how you can solve this problem
The most straightforward and secure way is to simply update the operating system – to MacOS 10.12 or later. All warnings about the untrusted Root certificate will then instantly disappear! Such an update can be performed very easily via the App store.
There is also another solution, although we do not recommend it. You could in fact purchase a new SSL certificate from us from another brand, such as Geotrust or RapidSSL. But we strongly advise against that, because it would be a total waste of money, as your current Comodo/Sectigo certificate is valid until the expiry date!
Updating your operating system is the best and safest option!
The underlying explanation
SSL security depends on a Chain of Trust (Certificate Authority or CA > certificate issuer such as Comodo/Sectigo > your SSL certificate). So, your certificate is signed by a CA, and is therefore accepted by the browser.
The identity of the different CAs is defined by default in the browser, via the root certificates of the CA. Browser makers such as Mozilla, Google and Microsoft ensure that updates automatically replace outdated or expired certificates with new ones.
Such a Certificate Authority must, however, meet very strict security requirements to ensure that the certificates are not compromised. A certificate issuer such as Comodo/Sectigo therefore uses intermediate certificates to sign the SSL certificates. The purpose is simple: when a hacker manages to steal the private key of one of the intermediate certificates, only the certificates that depend on this intermediate certificate are compromised, and the private key of the root certificate remains unchanged.
One last reminder: if you want to offer a secure HTTPS website, you will need an SSL certificate. A secure website will instil more confidence in your visitors, and will help you get a higher ranking in search engines.