Active Incident

Updated a few seconds ago

Issues with SCM Prime SCEP ServiceOperational

Incident Status

Operational

Components

Certificate Issuing Platforms, Certificate Lifecycle Management Platforms

Locations

Public CA, SCM (cert-manager.com)


September 16, 2025 5:51PM UTC
[Monitoring] SCM - Prime - SCEP (cert-manager.com) experienced downtime starting 2025-09-16 17:36:20 due to a socket timeout. The service was restored and is UP as of 2025-09-16 17:44:20, after approximately 8 minutes of downtime. We continue to monitor the system to ensure stability.

Certificate Issuing Platforms

Operational

Certificate Lifecycle Management Platforms

Operational

Certificate Revocation Platforms

Operational

Certificate Transparency

Operational

Websites

Operational

Client Areas

Operational

Time Stamping

Operational

Scheduled Maintenance

Sectigo Announcement:: Upcoming removal of WHOIS-Based Domain Control!Planned Maintenance

Schedule

June 15, 2025 12:00AM - 12:00AM UTC

Components

Certificate Issuing Platforms

Locations

Public CA

Description

Sectigo Announcement: Recent vulnerabilities in the domain name WHOIS system (https://labs.watchtowr.com/we-spent-20-to-achieve-rce-and-accidentally-became-the-admins-of-mobi/) have highlighted the WHOIS-based domain-validation method as a weakness in the process of validating publicly-trusted digital certificates. As a result, a ballot has been proposed in the CA Browser Forum (CABF) requiring that WHOIS-listed email addresses are no longer acceptable for domain validation, nor can historic domain validations based on WHOIS email addresses be reused. This ballot aims to deprecate the WHOIS-based domain validation method. We are currently investigating the impact of this proposed change. If you use WHOIS-based domain validation methods, we recommend migrating to alternative methods as soon as possible. The proposed removal date has moved from November 1st, 2024 to July 3rd, 2025. Additional information can be found here: https://www.sectigo.com/whois-email-dcv-deprecation

July 8, 2025 9:47PM UTC
[Update] Update: All domains that were using WHOIS-based DCV have been removed from the backend database List as of today. Customers are now required to initiate a new DCV to avoid any service disruptions. Please ensure that any domains previously validated via WHOIS email are revalidated as soon as possible. If you have any questions or concerns, feel free to contact the Sectigo Support Team.
Upcoming Change: SHA-256 to be Used for New TLS Certificates Starting June 23Planned Maintenance

Schedule

June 23, 2025 1:00PM - 1:00PM UTC

Components

Certificate Issuing Platforms

Locations

Public CA

Description

We want to inform you about an upcoming change in the signature hash algorithm used for TLS certificates issued from our new CA hierarchy. Effective June 23, 2025, at 13:00 UTC, newly issued TLS certificates will be signed using the SHA-256 hashing algorithm. This reverses the recent move to SHA-384, based on issues identified in real-world deployments. As SHA-256 was the prior default, we do not anticipate disruptions. Need SHA-256 certificates before June 23? Please reach out to your support contact within Sectigo Looking ahead: In a future release, we plan to make SHA-384 an optional selection for customers wishing to test SHA-384 readiness. Additional development is required before this option will become available. We appreciate your understanding as we take proactive steps to maintain the highest reliability and compatibility of issued certificates. Sectigo Team.
Scheduled Maintenance 22:59 UTC Sat 20th September 2025 to 01:00 UTC Sun 21st September 2025 Planned Maintenance

Schedule

September 20, 2025 11:00PM - September 21, 2025 1:00AM UTC

Components

Certificate Issuing Platforms, Certificate Lifecycle Management Platforms, Client Areas

Locations

Public CA, SCM (cert-manager.com), SCM (hard.cert-manager.com), secure.trust-provider.com, secure.sectigo.com, SCM (eu.cert-manager.com)

Description

Sectigo Certificate Issuing Platform Scheduled Maintenance Saturday, September 20, 2025; 22:59 UTC. Sectigo Certificate Issuing Platform Scheduled Maintenance: • Minor Fixes • Minor Improvements We anticipate that our certificate issuing platform will be unavailable for up to 2 hours while we add this additional functionality to the system. Please contact your Sectigo support resource if you require additional information about this scheduled maintenance event.
Important Update: Deprecation of Client Authentication EKU from Sectigo SSL/TLS Certificates !Planned Maintenance

Schedule

October 7, 2025 12:00AM - 12:00AM UTC

Components

Certificate Issuing Platforms

Locations

Public CA

Description

Effective October 7, 2025, Sectigo will no longer include Client Authentication (id-kp-clientAuth) in Extended Key Usage (EKU) for newly issued SSL/TLS certificates. This change aligns with updated industry requirements and best practices aimed at improving the security and purpose specificity of publicly trusted certificates. What is changing? For many years, SSL/TLS certificates have commonly included both Server Authentication and Client Authentication EKUs. Moving forward, the Client Authentication EKU will be deprecated in SSL/TLS certificates due to updated requirements from major Root Programs. Important dates Effective October 7, 2025: Sectigo will stop including the Client Authentication EKU in SSL/TLS certificates by default. Effective May 15, 2026: Sectigo will no longer include the Client Authentication EKU in any newly issued SSL/TLS certificates. What do your customers need to do? If they don't use Sectigo SSL/TLS certificates for mutual TLS (mTLS), server-to-server authentication, or other Client Authentication use cases, no action is required. If they are using SSL/TLS certificates for Client Authentication purposes, we recommend they evaluate alternative solutions as soon as possible. For most organizations, Private PKI offers the best path forward to support mTLS and similar use cases. Please contact a Sectigo sales representative to assist with planning and deploying a Private CA tailored to the environment. Need assistance? If you are unsure whether this change impacts your customers, or if you need guidance on migrating to alternative solutions, please contact us at clientauth@sectigo.com. Learn more For additional information, we have prepared a FAQ covering the deprecation timeline, impacted services, and alternative options: 🔗 https://www.sectigo.com/faq-client-authentication-eku-deprecation Thank you for your prompt attention to this important industry change.