SSL.com Begins Root Certificate Rotation, Urges Audit of Custom Trust Stores
Certificate authority SSL.com has begun rotating its root certificate hierarchy, prompting warnings for organizations with custom trust configurations to audit their systems for potential service disruptions.

SSL.com has initiated a scheduled rotation of its root certificate hierarchy, effective May 5, 2026. While the certificate authority describes this as a standard operational procedure, the transition requires attention from organizations that have implemented non-standard configurations involving the legacy 2016 root certificates.
The technical implications of this rotation center on how systems validate trust. Organizations that rely on standard web browser trust stores are unlikely to experience issues. However, the migration poses significant risks for environments utilizing pinned trust anchors, custom trust stores, or hardcoded certificate validation logic tied specifically to the 2016 root hierarchy SANS Internet Storm Center. Failure to update these configurations to align with the new root infrastructure could result in service disruptions or authentication failures SANS Internet Storm Center.
To facilitate a smoother transition, SSL.com has advised affected users to utilize cross-certificates, which serve as a bridge to maintain backward compatibility with the 2016 root hierarchy during the migration period SANS Internet Storm Center. Additionally, the provider is encouraging a migration toward dedicated client certificates. These purpose-built certificates are designed to be unaffected by upcoming changes in Google Chrome’s server authentication requirements, which are set to impact SSL/TLS certificates that include the ClientAuth Extended Key Usage (EKU) attribute SANS Internet Storm Center.
Detailed guidance regarding the migration and the specific impact on various service implementations can be found in the official SSL.com advisory. Administrators are urged to audit their current certificate validation logic and trust store configurations promptly to ensure continued service availability SANS Internet Storm Center.
Root certificate rotation is an inevitable lifecycle event for all certificate authorities, as existing roots eventually expire. This event serves as a reminder for organizations to maintain visibility into their certificate dependencies, particularly in automated or non-browser environments where trust anchors are manually managed. Monitoring for such lifecycle changes is essential to preventing unexpected outages in complex digital infrastructures.