Sectigo has announced an important change affecting the re-issuance of SSL/TLS certificates. Beginning January 1, 2026, Sectigo will no longer support the re-issuance of certificates using legacy (older) trust chains. All reissued certificates will instead be issued only under current, modern chains.

Who Is Affected?

This change primarily affects Microsoft server environments where some end-users are still using outdated operating systems or devices. In rare cases, these legacy systems do not trust Sectigo’s newer root certificates, which can cause trust warnings or connection failures.

Previously, administrators could work around this issue by re-issuing the certificate with an older, cross-signed chain. However, Microsoft systems may not always honour this workaround — particularly when a shorter, but untrusted, chain path exists. In these environments, the client may ignore the cross-signed chain and opt for the shorter, untrusted path instead, resulting in a certificate validation failure.

Recommended Mitigation

Sectigo and Microsoft jointly recommend the following approach:

• Identify and remove the problematic (untrusted) root certificate from the trust store on affected Microsoft servers.
• Alternatively, disable the certificate path that prefers the untrusted root, ensuring the valid Sectigo root is selected.

This ensures that the correct certificate chain is used during validation, helping to avoid trust warnings, browser errors, and service interruptions.

When Removal Is Not Possible

In environments where modifying the trust store is not feasible due to policy, compliance, software limitations, or embedded systems, the only practical alternative may be to switch to a different Certificate Authority whose root chain is trusted by the impacted devices.

Key Dates

• Until December 31, 2025 — Re-issuance under legacy chains is still supported.
• From January 1, 2026 onward — All reissued Sectigo certificates will use only modern chains.
  Legacy chain re-issuance will no longer be possible.

Organisations relying on legacy trust behaviour should review their infrastructure well in advance to avoid unexpected outages.

What EuroSSL Recommends

If you manage SSL/TLS deployments in Microsoft environments, we strongly suggest:

1. Auditing device and OS trust compatibility
2. Identifying any dependencies on legacy Sectigo roots
3. Testing chain behaviour in staging environments
4. Planning remediation before December 2025

Our team is available to support certificate lifecycle planning and migration where required.

Learn More

This topic is discussed in greater depth in the following vendor resources:

• Microsoft: Troubleshooting certificate validation issues
  https://learn.microsoft.com/en-us/troubleshoot/windows-server/certificates-and-public-key-infrastructure-pki/secured-website-certificate-validation-fails
• Sectigo: IIS certificates not trusted widely
  https://www.sectigo.com/knowledge-base/detail/Microsoft-IIS-Certificates-not-trusted-widely