GlobalSign Blog

What should I do if my CA's root certificate has expired? An Expert's advice

What should I do if my CA's root certificate has expired? An Expert's advice

In a perfect world, every single client that has been given a reasonable amount of warning about the impending root CA certificate expiration will never miss it and upgrade their software as necessary. But as we all know, the reality isn’t always as pleasant.

In this article, we will talk about what happens if your CA’s root certificate expires before yours do and what you can do to resolve the issues.

What is a root CA certificate and how does it work?

Certificate Authorities (CAs) are trusted entities that help secure and authenticate digital identities by issuing digital certificates.

Certificates obtained from CAs are used to encrypt the connections between systems, networks, and devices. When creating a website for the first time, it must have an SSL/TLS certificate. Likewise, email communications can be encrypted and digitally signed by obtaining Secure Email or S/MIME certificates.

In a certificate hierarchy, there are three branches:

  • Root Certificate
  • Intermediate Certificate
  • End-entity Certificate

To have a better understanding of the certification path, here’s a representation of GlobalSign’s SSL/TLS Root CA Certificate Hierarchy:


In this hierarchy, there’s an End-entity certificate on one end and the CA’s Root certificate on the other, while the Intermediate certificate is in between. When someone visits your website, the browser is going to navigate through this entire chain—from the end-entity certificate to the intermediate certificate up to the root certificates, validating each one along the way.

Root Certificate

A root CA certificate is self-signed and the issued “to and by” field is going to match with a longer validity period. They are kept as secure as possible as they provide the root of trust for the entire organization. If a malicious party gets their hands on the root CA certificate and private key, it is a huge breach as they can begin issuing certificates that are then implicitly trusted by the organization and users worldwide.

Root CA certificate is the trust anchor when issuing digital certificates. It is at the top of a certificate hierarchy. Computers, devices, and browsers determine which root certificates they trust in its certificate store or trust store. If your issuing CA is on the list, it is then trusted.

Pictured below is the GlobalSign Root CA certificate from GlobalSign:


Intermediate Certificates

Intermediate certificates are the dividing layer between root and end-entity certificates. If root certificates are used to issue intermediate certificates, then intermediate certificates are used to issue a client’s certificate. They are also used to issue different types of certificates such as SSL/TLS certificates, document signing certificates, secure email certificates, code signing certificates, etc.

Here are some examples of an intermediate certificate from GlobalSign:


End-entity Certificate

End-users availing of the certificate will be issued by an intermediate certificate. Computers and devices determine whether to trust your certificates by verifying who issued them. They will then verify if the root certificate for your intermediate is in their certificate store.

Below is an image of an SSL certificate issued to one of GlobalSign’s websites. We can see it was issued by the GlobalSign Extended Validation CA - SHA256 - G3 pictured previously.


Your certificate’s certification path will often look like this:


When combined, these three files—the root, intermediate, and entity—form a chain of trust.

This proves that the certificate issued on the website is valid and legitimate. But what happens when the root CA certificate expires?

When a root CA Certificate expires, how does it affect me?

When the root CA certificate expires, it would mean that operating systems will invalidate the certificate. It will affect all certificates down the hierarchy chain discussed above.

It may cause service outages, website, software, and email client downtimes, bugs, and other issues. Because computers, devices, and browsers will no longer trust certificates issued by the CA with an expired root certificate, it would also mean that older devices that have not received an update or those that run on old software releases might run into some major issues and at worst, they might stop working.

What can I do to resolve issues from the expired root CA certificate?

On the surface, the fix for the problem looks simple: Root CA certificates need to be updated but not all devices receive an update. When they do, not all of them get installed.

If you are impacted by an expired root CA certificate, you have two options: 1) re-install the certificate or 2) get a new certificate from a different CA.

The first option varies from client to client, with some taking only a few minutes to fix the issue, while others face bugs and errors along the way. In such cases, it may be best to obtain the certificates from a different CA for a clean slate.

When it comes to downtimes, time is of the essence. A few minutes of downtime may mean thousands in revenue loss, and in some cases would mean that websites will have to stay down for a while until the issue is fixed.

If you rely on certificates for secure communications, as most of us do these days, taking the time to examine your current validation chain is critical.

Website security is a must for all businesses. Website downtimes due to expired certificates can compromise your website’s security, company’s credibility, and client’s trust. As one of the longest-standing CAs, our certificates are trusted by APAC’s leading institutions and organizations.

If you ever decide it is now time to make the switch, we can help make the CA transition easy. We offer various SSL/TLS certificate options to save your company from inconveniences:

  • Domain Validated (DV) Certificates

    Reliable base-level encryption for TLS with automated and immediate issuance (within a few minutes).
  • Organization Validation (OV) Certificates

    Strong SSL/TLS protection with instant identity information, with a vetting process that often takes only 1-2 business days. The certificate will show the corporate identity and ownership of the domain name.
  • Extended Validation (EV) Certificates

    The highest class of SSL/TLS available today. Its presence is an indicator of the website’s validity and that it is owned and registered by a verified, legitimate business. The vetting process often takes 3-4 business days.

Our certificate management platforms can be accessed after obtaining any of our certificates to make your certificate management more seamless and flexible. Not only does this help you easily manage digital certificates and subscriptions, but also ensures your business will never experience the burden of certificate expiration and downtimes.

For a complete list of all GlobalSign products, click here.

Share this Post

Related Blogs