Planned Maintenance In Progress

Updated a few seconds ago

Description

We anticipate that EST and Universal ACME endpoints will be unavailable for up to 3 hours while maintenance is performed. Please contact your Sectigo support resource if you require additional information about this scheduled maintenance event.

Components

Certificate Lifecycle Management Platforms

Locations

SCM (cert-manager.com)

Schedule

July 5, 2025 10:59PM - July 6, 2025 2:00AM UTC



July 5, 2025 10:59PM UTC
[Update] Scheduled maintenance is starting.

Certificate Issuing Platforms

Operational

Certificate Lifecycle Management Platforms

Planned Maintenance

Certificate Revocation Platforms

Operational

Certificate Transparency

Operational

Websites

Operational

Client Areas

Operational

Time Stamping

Operational

Scheduled Maintenance

Schedule

June 15, 2025 12:00AM - 12:00AM UTC

Components

Certificate Issuing Platforms

Locations

Public CA

Description

Sectigo Announcement: Recent vulnerabilities in the domain name WHOIS system (https://labs.watchtowr.com/we-spent-20-to-achieve-rce-and-accidentally-became-the-admins-of-mobi/) have highlighted the WHOIS-based domain-validation method as a weakness in the process of validating publicly-trusted digital certificates. As a result, a ballot has been proposed in the CA Browser Forum (CABF) requiring that WHOIS-listed email addresses are no longer acceptable for domain validation, nor can historic domain validations based on WHOIS email addresses be reused. This ballot aims to deprecate the WHOIS-based domain validation method. We are currently investigating the impact of this proposed change. If you use WHOIS-based domain validation methods, we recommend migrating to alternative methods as soon as possible. The proposed removal date has moved from November 1st, 2024 to July 3rd, 2025. Additional information can be found here: https://www.sectigo.com/whois-email-dcv-deprecation

Schedule

June 23, 2025 1:00PM - 1:00PM UTC

Components

Certificate Issuing Platforms

Locations

Public CA

Description

We want to inform you about an upcoming change in the signature hash algorithm used for TLS certificates issued from our new CA hierarchy. Effective June 23, 2025, at 13:00 UTC, newly issued TLS certificates will be signed using the SHA-256 hashing algorithm. This reverses the recent move to SHA-384, based on issues identified in real-world deployments. As SHA-256 was the prior default, we do not anticipate disruptions. Need SHA-256 certificates before June 23? Please reach out to your support contact within Sectigo Looking ahead: In a future release, we plan to make SHA-384 an optional selection for customers wishing to test SHA-384 readiness. Additional development is required before this option will become available. We appreciate your understanding as we take proactive steps to maintain the highest reliability and compatibility of issued certificates. Sectigo Team.

Schedule

September 15, 2025 12:00AM - 12:00AM UTC

Components

Certificate Issuing Platforms

Locations

Public CA

Description

Sectigo Announcement: To comply with new CA/B Forum requirements, Sectigo is introducing Multi-Perspective Issuance Corroboration (MPIC) for Domain Control Validation (DCV) and Certificate Authority Authorization (CAA) checks. This process mitigates security risks by verifying traditional DCV and CAA results from multiple remote network perspectives across different regions. Key Milestones: • February 18, 2025 – MPIC enters a reporting phase. DCV and CAA validation results will be corroborated using multiple remote perspectives, but unsuccessful checks will not affect certificate issuance. • No later than September 15, 2025 – MPIC enforcement begins. Certificates will not be issued if multi-perspective checks fail to corroborate primary DCV or CAA results. (Exact date will be communicated during the summer period.) For further details, including specific validation methods affected, visit our https://www.sectigo.com/mpic-faq

Schedule

September 15, 2025 12:00AM - 12:00AM UTC

Components

Certificate Issuing Platforms

Locations

Public CA

Description

Effective September 15, 2025, Sectigo will no longer include Client Authentication (id-kp-clientAuth) in Extended Key Usage (EKU) for newly issued SSL/TLS certificates. This change aligns with updated industry requirements and best practices aimed at improving the security and purpose specificity of publicly trusted certificates. What is changing? For many years, SSL/TLS certificates have commonly included both Server Authentication and Client Authentication EKUs. Moving forward, the Client Authentication EKU will be deprecated in SSL/TLS certificates due to updated requirements from major Root Programs. Important dates Effective September 15, 2025, Sectigo will stop including the Client Authentication EKU in SSL/TLS certificates by default. Effective May 15, 2026, Sectigo will no longer include the Client Authentication EKU in any newly issued SSL/TLS certificates. What do your customers need to do? If they don't use Sectigo SSL/TLS certificates for mutual TLS (mTLS), server-to-server authentication, or other Client Authentication use cases, no action is required. If they are using SSL/TLS certificates for Client Authentication purposes, we recommend they evaluate alternative solutions as soon as possible. For most organizations, Private PKI offers the best path forward to support mTLS and similar use cases. Please contact a Sectigo sales representative to assist with planning and deploying a Private CA tailored to the environment. Need assistance? If you are unsure whether this change impacts your customers, or if you need guidance on migrating to alternative solutions, please contact us at clientauth@sectigo.com. Learn more For additional information, we have prepared a FAQ covering the deprecation timeline, impacted services, and alternative options. https://www.sectigo.com/faq-client-authentication-eku-deprecation Thank you for your prompt attention to this important industry change.