SSL Certificate News & Information

The Sectigo AddTrust External CA Root certificate expired on 30th May 2020. Sectigo had assured everyone that no issues will arise from this.

However, some TLS clients which are incapable of building an alternative certificate chain have stopped working correctly, which includes some older versions of OpenSSL.
All certificates issued from 30th April 2020 will not cause these issues as they are issued from a root which is valid until 2038.

If you are experiencing issues with your SSL certificate, please contact support.

In January 2015, we announced the upcoming end of the 4 and 5-year certificates from April 2015 onwards.
In April 2017, we announced the upcoming end of the 3-year certificates from February 2018 onwards.
However, it now seems the CA/B have been forced by Apple and it's Safari browser to end 2-year certificates.

Apple has announced this week, from 1st September all newly issued publicly trusted TLS certificates which are valid for longer than 398 days will be untrusted by the Safari browser, to "protect users".
A large proportion of people prefer multi-year certificates due to the discounted prices and less work involved with procurement, vetting and installation. We believe 2 years was a fair compromise between security and business needs. However, Apple felt differently and have now implemented the changes. All other browsers will have to follow and CAs will now have to adhere to this.

On 17th January 2019, DigiCert Inc acquired QuoVadis - an EU and Swiss TSP, specialising in qualified digital certificates and related services for Europe, as well as enterprise managed PKI services.

DigiCert will continue to operate QuoVadis as an EU qualified trust service provider offering EU and Swiss qualified digital certificate and electronic signature services.

It is less than 14 months since DigiCert acquired Symantec CA, thus this further increases DigiCert's presence in internet security.

For further information, see this QuoVadis news article

Comodo CA has re-branded and now is known as Sectigo.

With over 20 years of experience, Comodo has issued over 100 million certificates and work with over 700,000 businesses worldwide.
They have become the largest commercial Certificate Authority in the world, but moving forward they will now be known as Sectigo.

During the transition, some products will be issued under the new Sectigo brand whereas some will continue to be issued under the Comodo brand for a while.

We will gradually update the ProntoSSL website to replace all instances of Comodo with Sectigo.

For further information, please see the Comodo and Sectigo websites.

If you currently have a Comodo SSL certificate, it will continue to work throughout it's lifetime. There is nothing you need to do.

The Register reports TLS 1.3 has been approved:

"An overhaul of a critical internet security protocol has been completed, with TLS 1.3 becoming an official standard late last week."

A second round of SSL certificate re-issues for RapidSSL and GeoTrust certificates will take place during May 2018 to combat Google's distrust in their Chrome browser.

As was the case in January, all affected orders will be automatically set to reissue by RapidSSL and GeoTrust. All orders must be fully re-vetted. Remember, DigiCert has now acquired Symantec.

For OV and EV orders, a full organization validation is required. In most cases, the Validation Center will try to use existing information and no extra documents will be required. A callback may be required in some cases.

For all DV orders, the Approver email will be sent to all eligible email addresses (eg admin@, hostmaster@). It will only contain an approval link. The new certificate and CA bundle will be sent to the listed technical contact as usual.

For further information, see the latest official GeoTrust knowledgebase alert

Anyone with an certificate issued after 1st June 2016 and expiring after 1st September 2018 must re-validate the replacement order and have the SSL re-issued and re-installed.

As first reported in April 2017, CAs will no longer be able to issue 3 year SSL certificates after 1st March 2018.

The CA/B Forum is enforcing this change to all CAs in order to improve security, as longer validity SSL certificates can often lead to customers having old certificates in use with vulnerabilities.

UPDATE: (16th Feburary 2018)
We have removed 3 year SSL certificates from our website today as some CAs are ceasing orders for 3 year certificates a few days prior to the deadline.

If you require a 3 year certificate, please contact us prior to the deadline dates listed below.

As previously reported, Google plans to distrust some Symantec SSL certificates in their Chrome browser. This includes some certificates issued by its subsidiaries, RapidSSL and GeoTrust.

During mid to late January 2018, all affected orders will be automatically set to reissue by RapidSSL and GeoTrust. All orders must be fully re-vetted. Remember, DigiCert has now acquired Symantec.

For OV and EV orders, a full organization validation is required. In most cases, the Validation Center will try to use existing information and no extra documents will be required. A callback may be required in some cases.

For all DV orders, the Approver email will be sent to all eligible email addresses (eg admin@, hostmaster@). It will only contain an approval link. The new certificate and CA bundle will be sent to the listed technical contact as usual.

For further information, see the official GeoTrust "Informational"

Anyone with an certificate issued before 1st June 2016 must re-validate the replacement order and have the SSL re-issued and re-installed.

On 31st October 2017, DigiCert Inc acquired Symantec Corporation - Symantec’s Website Security and PKI business.
All certificates from their main brand, Symantec, as well as all certificates from their sub-brands (Thawte, RapidSSL and GeoTrust) will be issued using the DigiCert infrastructure starting from 1st December 2017.

See DigiCert's official acquisition statement

From 7th September 2017, all CAs are now required to check the domain name's DNS for a CAA record prior to issuing any SSL certificates for that domain.

If you have configured CAA records in your domain name's DNS, only the CAs listed may issue SSL certificates for your domain.
If you have no CAA records in your DNS, any CA can issue SSL certificates for your domain.

At the beginning of August 2017, DigiCert announced its agreement to acquire Symantec's website security business, including the SSL/TLS and the IoT business.
DigiCert announced this very swiftly as they are hoping "that this agreement will satisfy the needs of the browser community" in relation to Google's plans to distrust the Symantec root certificate in the Chrome browser.
It is reported that the deal is for $950m USD plus a 30% share of DigiCert.
This is expected to complete in the last half of 2018.

Google are to distrust all Symantec SSL certificates (issued before 1st June 2016) in their Chrome browser, from 8th August 2017.
In March 2017, Google and Mozilla found Symantec had mis-issued 127 SSL certificates (against industry rules set by the CA/B Forum) but after further investigation the number rose to 30,000
Mozilla, Microsoft and Apple were considering options but allowed Google conduct the investigation alone.
Symantec denied mis-issuing any certificates.
However, Symantec will now have to partner with another CA who will issue the certificates on behalf of Symantec.
There is talk of Symantec exploring the idea of selling its CA business

The GeoTrust, Thawte, and RapidSSL brands (owned by Symantec) are also affected.

Anyone with an certificate issued before 1st June 2016 must re-validate the replacement order and have the SSL re-issued and re-installed.

All previous orders for Comodo Single Domain SSL certificates for www. have secured the base domain (non-www.), until now.
Like the majority of CAs, Comodo gave this for free, by adding it to the SAN.
For example: a previously ordered certificate for www.example.com would also secure example.com as Comodo added this for free to each order.

This has now changed. Instead they will add the www. element to the SAN for an order of the base domain (non-www.)
For example: a new certificate order for example.com will also secure www.example.com as Comodo will now add this for free to each order.

For Comodo Wildcard certificates, the base domain will not be added and therefore cannot be protected with a Wildcard SSL certificate.

Of course, all previously issued SSL certificates will continue to work until re-issue or re-new.
UPDATED July 2017:
Comodo have decided to pause the new updates for the www. and non-www. SAN
Wildcard SSL certificates will still have the base domain included and all Single Domain SSL certificates for www. will secure the non-www. base domain too.

Comodo experienced technical issues resulting in loss of all services for 20 hours between 10th and 11th May 2017.
This unfortunately resulted in the loss of all orders from 3rd May to 11th May 2017.
Comodo were able to replace all of these orders on 12th May and added an extra 90 days as goodwill to all affected orders.
UPDATED May 2017:
On 18th May Comodo had to revoke all orders placed between 3rd May and 11th May 2017.
If your certificate was issued between 3rd May and 11th May 2017, it will be revoked with a replacement order being created on 12th May.
The revoked certificates cannot be used and you will need to collect the replacement SSL certificate.

Anyone with an order issued between these dates must re-validate the replacement order and have the SSL re-issued and re-installed.

We apologise on behalf of Comodo for the inconvenience, which of course is out of our control.

A recent change to the CA/B Forum Baseline Requirement will soon prevent issuance of 3 year SSL certificates.
From 1st March 2018, the maximum validity period will be 27 months for all SSL Certificates.
This 27 months limit imposed by the CA/B Forum allows for a 2 year certificate to be renewed upto 3 months prior to the expiry date, without loss of validity time.

All major web browser manufacturers will being disabling support for SHA-1 certificates from publicly-trusted certificate authorities in early 2017.
If your SSL certificate is using SHA-1 then you will need a re-issue to obtain a SHA-2 certificate before the end of this year.

Google has again made minor updates to its search algorithm and now all websites using SSL will benefit.
If you have a valid SSL certificate installed, this will increase your Google SEO and in return you will gain more traffic due to a higher ranking.
Although SSL certificates provide a minor rankings increase from Google, the content quality remains the major factor, but it all helps to improve the sales and conversions.

A recent change to the CA/B Forum Baseline Requirement now prevents issuance of SSL certificates containing local hostnames.
From 1st November 2015, all Common Names and SANs fields must contain FQDNs

If your server uses names such as "company.local", you will need to replace these with FQDNs such as "local.company.example.com"
Of course, there is no requirement to add these local FQDNs to your public DNS, they may reside in your local (private) DNS only, thus maintaining the same internal-only restrictions for which "company.local" provided.

A recent change to the CA/B Forum Baseline Requirement will soon prevent issuance of 4 and 5 year SSL certificates.
From 1st April 2015, the maximum validity period will be 39 months for all SSL Certificates.
This 39 months limit imposed by the CA/B Forum allows for a 3-year certificate to be renewed up to 3 months prior to the expiry date, without loss of validity time.
You may order a 4 year SSL certificate up to 1st March 2015 but if any re-issues are necessary after 1st April 2015, it will be truncated to 39 months. You must ensure you backup your certificate and the key to prevent this.

Most SSL certificates issued today are created with a hash algorithm called SHA-1, which is now almost 20 years old.
With advances in hardware and therefore computing power, the feasibility of successful collision attacks is increasing.
Therefore CAs should begin to use the a stronger SHA version, particularly SHA-2 (or SHA-256).
SHA1 SSL certificates will still be available for compatibility reasons, but only if requested, and cannot be used for any certificate which expires after 1st January 2017.

Comodo have announced the addition of their Multi-Domain Wildcard SSL.
This is an industry first, for a CA to issue a multi-domain SSL with wildcard capabilities.
Aimed at customers with many domains and sub-domains to secure, it is capable of securing up to 100 domains together with the unlimited subdomain capability of a wildcard SSL certificate.
Wildcard domains can be added to the SANs (multi-domain element) of the certificate.

Symantec have announced the addition of a new Wildcard SSL certificate to their range of highest level 256-bit encryption Symantec SSL certificates.
This is the most expensive SSL certificate we are aware of, so perhaps it is only within the reach of large enterprises or government entities.

A security breach at DigiNotar (https://www.diginotar.nl — now a dead link) has resulted in the issuance of more than 500 fraudulent SSL certificates.
All major web browsers have since blacklisted all DigiNotar issued certificates and the DigiNotar roots have been removed also.

DigiNotar was declared bankrupt shortly after.