Planned Maintenance In Progress

Updated a few seconds ago

Description

We anticipate that the Sectigo Private CA issuing platform will be unavailable for up to 3 hours while maintenance is performed. IoT Manager will be available, but no certificates can be issued during this time. Sectigo Certificate Manager will be available, but no private certificates from this backend can be issued during this time. Please contact your Sectigo support resource if you require additional information about this scheduled maintenance event.

Components

Certificate Issuing Platforms, Certificate Lifecycle Management Platforms

Locations

IoT Manager, SCM (cert-manager.com), SCM (hard.cert-manager.com), Private CA

Schedule

May 24, 2025 11:00PM - May 25, 2025 2:00AM UTC



May 24, 2025 11:00PM UTC
[Update] Scheduled maintenance is starting.

Certificate Issuing Platforms

Planned Maintenance

Certificate Lifecycle Management Platforms

Planned Maintenance

Certificate Revocation Platforms

Operational

Certificate Transparency

Operational

Websites

Operational

Client Areas

Operational

Time Stamping

Operational

Scheduled Maintenance

Schedule

March 1, 2025 12:00AM - June 2, 2025 12:00AM UTC

Components

Certificate Issuing Platforms

Locations

Public CA

Description

This is a reminder about the ongoing transition to Sectigo’s new Public Root CAs — an important initiative to maintain the security, trust, and compliance of digital certificates across modern platforms. We appreciate your attention to the previous notifications sent prior to each migration phase, which helps minimize any potential issues during and after these transitions. Summary Overview: Sectigo has successfully incorporated its new Public Root CAs into all major root stores, including Mozilla, Microsoft, Apple, and Google/Chrome. These new roots deliver enhanced security, improved trust, and continued compliance with evolving industry standards, ensuring your certificates remain valid and fully supported across major systems and devices. As part of this effort, Sectigo has been migrating certificate issuance to the new Public Roots in phases. Completed Migrations: ✅ S/MIME Certificates — March 1, 2025 ✅ EV TLS Certificates — April 15, 2025 ✅ OV TLS Certificates — May 15, 2025 Upcoming Migration: DV TLS Certificates — Scheduled for June 2, 2025 For partners using whitelabel Subordinate CAs, our Compliance team will reach out separately with further instructions. Why This Matters: This migration ensures that Sectigo certificates remain secure, fully trusted, and compatible with all modern browsers, operating systems, and applications. It strengthens the protection of your websites, communications, and digital services against evolving threats while keeping your infrastructure aligned with the latest industry standards. Additional Resources: https://www.sectigo.com/sectigo-public-root-cas-migration https://www.sectigo.com/knowledge-base/detail/Sectigo-Public-Intermediates-and-Roots/kA0Uj0000003eovKAA https://www.sectigo.com/knowledge-base/detail/Sectigo-new-Public-Roots-and-Issuing-CAs-Hierarchy/kA0Uj0000004IrB Thank you for your attention and continued partnership!

Schedule

June 15, 2025 12:00AM - 12:00AM UTC

Components

Certificate Issuing Platforms

Locations

Public CA

Description

Sectigo Announcement: Recent vulnerabilities in the domain name WHOIS system (https://labs.watchtowr.com/we-spent-20-to-achieve-rce-and-accidentally-became-the-admins-of-mobi/) have highlighted the WHOIS-based domain-validation method as a weakness in the process of validating publicly-trusted digital certificates. As a result, a ballot has been proposed in the CA Browser Forum (CABF) requiring that WHOIS-listed email addresses are no longer acceptable for domain validation, nor can historic domain validations based on WHOIS email addresses be reused. This ballot aims to deprecate the WHOIS-based domain validation method. We are currently investigating the impact of this proposed change. If you use WHOIS-based domain validation methods, we recommend migrating to alternative methods as soon as possible. The proposed removal date has moved from November 1st, 2024 to June 15th, 2025. Sectigo will provide updates on this proposal on: https://www.sectigo.com/whois-email-dcv-deprecation

Schedule

September 15, 2025 12:00AM - 12:00AM UTC

Components

Certificate Issuing Platforms

Locations

Public CA

Description

Sectigo Announcement: To comply with new CA/B Forum requirements, Sectigo is introducing Multi-Perspective Issuance Corroboration (MPIC) for Domain Control Validation (DCV) and Certificate Authority Authorization (CAA) checks. This process mitigates security risks by verifying traditional DCV and CAA results from multiple remote network perspectives across different regions. Key Milestones: • February 18, 2025 – MPIC enters a reporting phase. DCV and CAA validation results will be corroborated using multiple remote perspectives, but unsuccessful checks will not affect certificate issuance. • No later than September 15, 2025 – MPIC enforcement begins. Certificates will not be issued if multi-perspective checks fail to corroborate primary DCV or CAA results. (Exact date will be communicated during the summer period.) For further details, including specific validation methods affected, visit our https://www.sectigo.com/mpic-faq

Schedule

September 15, 2025 12:00AM - 12:00AM UTC

Components

Certificate Issuing Platforms

Locations

Public CA

Description

Effective September 15, 2025, Sectigo will no longer include Client Authentication (id-kp-clientAuth) in Extended Key Usage (EKU) for newly issued SSL/TLS certificates. This change aligns with updated industry requirements and best practices aimed at improving the security and purpose specificity of publicly trusted certificates. What is changing? For many years, SSL/TLS certificates have commonly included both Server Authentication and Client Authentication EKUs. Moving forward, the Client Authentication EKU will be deprecated in SSL/TLS certificates due to updated requirements from major Root Programs. Important dates Effective September 15, 2025, Sectigo will stop including the Client Authentication EKU in SSL/TLS certificates by default. Effective May 15, 2026, Sectigo will no longer include the Client Authentication EKU in any newly issued SSL/TLS certificates. What do your customers need to do? If they don't use Sectigo SSL/TLS certificates for mutual TLS (mTLS), server-to-server authentication, or other Client Authentication use cases, no action is required. If they are using SSL/TLS certificates for Client Authentication purposes, we recommend they evaluate alternative solutions as soon as possible. For most organizations, Private PKI offers the best path forward to support mTLS and similar use cases. Please contact a Sectigo sales representative to assist with planning and deploying a Private CA tailored to the environment. Need assistance? If you are unsure whether this change impacts your customers, or if you need guidance on migrating to alternative solutions, please contact us at clientauth@sectigo.com. Learn more For additional information, we have prepared a FAQ covering the deprecation timeline, impacted services, and alternative options. https://www.sectigo.com/faq-client-authentication-eku-deprecation Thank you for your prompt attention to this important industry change.