The Impact of a Root Certificate Expiration

You may have heard about the recent root certificate expiration that’s been affecting a large number of sites. Root certificates are a necessary part of the certificate chain, but when they need to be replaced it affects the entire chain.

Just as the roots of a tree provide life to the leaves and branches, root certificates are the base of the certificate chain.

SSL/TLS certificate root chain

What is a root certificate?

In the chain of trust, a root certificate is the first link. Unlike other certificates, it is self-signed, meaning the issuer and subject are the same. It is a kind of X.509 certificate that can be used to issue other certificates. Certificate authorities (CAs) adhere to strict requirements to merit the trust of having a root certificate.

Root certificates also typically have long periods of validity, compared to intermediate certificates. They will often last for 10 or 20 years, which gives enough time to prepare for when they expire. However, there still can be hiccups in the process of switching to the new root certificate.

Fixing error due to an expired root certificate

When a root certificate expires, operating systems may flag the certificate as invalid even if you have the new root certificate. You may be able to fix the problem by deleting the expired root certificate.

Posted in Certificates, SSL