2025-08-13

Certum implements new Root CAs

From September 15, 2025, Certum will implement new Root CAs in accordance with Mozilla’s and Google’s policies.

If you are using up-to-date operating systems and browsers, you will likely not notice this change.

If you use older systems, make sure that the new Root CAs or cross-certificates are installed. The old Root CAs will be retired, meaning that certificates based on them will no longer be trusted in the latest browsers and systems.

Why Certum is changing Root CAs

This change follows the decision of Mozilla Firefox and Google Chrome to remove trust in Root CA certificates older than 15 years (for TLS/SSL certificates). The goal of this policy is to increase user security.

Withdrawal of trust means that browsers such as Firefox and Chrome will remove trust for issuers – old Root Cas – so even though they will still be technically valid, they will no longer be trusted by newer browser versions. As a result, SSL certificates issued by Certum CA and Certum Trusted Network CA will no longer be recognized as secure.

A detailed withdrawal schedule can be found at:

• https://wiki.mozilla.org/CA/Root_CA_Lifecycles
• https://googlechrome.github.io/chromerootprogram/#413-root-ca-term-limit

Which Root CAs are being retired?

From 2025, Certum has begun phasing out old Root CAs and gradually migrating to new Root CAs:

• Certum CA – retired
• Certum Trusted Network CA – trust removal date: 2027-04-15

Important: Certificates based on these Root CAs will remain trusted in older browsers and operating systems released before these dates, and in environments that no longer receive regular security updates.

What are the new Root CAs

As of September 15, 2025, Certum is introducing new Root CAs, which – under Mozilla and Google policy – already have defined end-of-trust dates:

• Certum Trusted Root CA
  • Trusted for SSL certificates until 2032-04-12
• Certum EC-384 CA
  • Trusted for SSL certificates until 2033-03-22

Important: Certum Trusted Root CA and Certum EC-384 CA are trusted in all major browsers and operating systems (Windows, macOS, iOS, Android ≥14), but they may be unavailable on Android versions older than 14 if those devices have not received a certificate store update, and in older, unsupported, and non-updated operating systems.

To ensure compatibility with older environments that no longer receive regular security updates, a mechanism known as cross-certification with the old Root CAs has been applied.

What does this mean for users?

If you encounter problems with certificates, make sure that the appropriate Root CAs and Subordinate CAs are present in the trusted stores of your applications and devices.

For older environments that no longer receive regular security updates, also check for the presence of cross-certificates with the old Root CAs.

After September 15, 2025 – the date of the transition to the new Root Cas – a certificate reissue for one issued under an old Root CA will replace it with a certificate from the new Root CA.

We recommend avoiding so-called certificate pinning (i.e., hardcoding trust to a specific certificate), as this may prevent migration to the new Root CAs.

The full new hierarchy of Root CAs and Subordinate Cas

SSL certificates:

• Certum Commercial SSL (DV)
• Certum Trusted SSL (OV)
• Certum Premium EV SSL (EV)

For older systems, it may be necessary to install cross-certificates:

• For Certum Trusted Root CA: https://repository.certum.pl/ctnca-ctrca.pem
• For Certum EC-384 CA: https://repository.certum.pl/ctnca-cec384ca.pem

Note: Please note that the cross-certificate is installed by the server administrator on the server, not by the end user on their device.

The matching Subordinate CA certificate for the issued certificate is available for download in the Data security products customer panel, and a full list of all Certum Root CAs and Subordinate CAs is available at https://www.certum.eu/en/cert_expertise_root_certificates/.