Sectigo Announcement on the Deprecation of Root CA: AAA Certificate Services

Mozilla and Chrome have updated their root certificate policies, limiting the maximum lifetime of a Root CA certificate to 15 years from the time the private key is created in order to enhance security and adaptability.
As a result, starting April 15, 2025, the TLS trust bits associated with the Root CA “AAA Certificate Services” will be removed in newer versions of browsers.

Impact

• From April 15, 2025, all certificates issued under the Root CA “AAA Certificate Services” will no longer be trusted by updated versions of Firefox, NSS, and Chrome.
• If you are using the Root CA “AAA Certificate Services” for legacy platforms—such as Firefox and Chrome versions released prior to April 15, 2025—or certificate chains cross-signed by this Root CA to support older platforms, this change will not affect those environments.
• Please note that any certificate reissuance after April 15, 2025 will be issued under a new Root CA.

Recommended Actions

• Avoid certificate/key pinning: If your systems use certificate pinning or key pinning, ensure they do not rely on the Root CA “AAA Certificate Services,” as this root will no longer be trusted in future browser updates.
• To ensure business continuity, it is strongly recommended that you assess the impact of this change as early as possible and plan an appropriate migration strategy.