Overview
Sectigo is migrating to a new certificate chain based on its updated Public Root and Issuing CA hierarchy. The new hierarchy has been incorporated into the trusted root stores of:
- Microsoft
- Apple
- Google / Chrome
- Mozilla
This change affects TLS certificate validation for clients connecting to our services.
Who Is Affected
Clients using outdated runtime environments or security libraries may encounter certificate validation errors on *.everbinding.nl and *.econnect.eu when the new chain is presented.
This particularly includes:
- Older Java versions
- Legacy JVM truststores
- Outdated OpenSSL versions
- Systems with manually managed or restricted trust stores
Modern platforms that regularly update their trusted root stores are generally not affected.
Temporary Workaround
To maintain compatibility during the transition period, we have implemented a temporary workaround.
Important:
- The workaround is not fully stable.
- In certain cases, the new certificate chain may still be presented.
- The workaround will be removed on the dates listed below.
Clients must update their environments before the workaround is disabled.
Required Actions
To ensure uninterrupted connectivity, complete one of the following before the deadline:
Option 1 – Install and Trust the New Certificates
Manually install and trust:
- The new Sectigo Public Root certificate
- Download Root Sectigo Public Server Authentication Root R46 (July 22, 2025)
- The corresponding intermediate (Issuing CA) certificate
Ensure these certificates are added to your system or application trust store.
Option 2 – Update Runtime and Security Libraries
Upgrade your environment to versions that natively trust the new Sectigo hierarchy, including:
- Updated Java runtime (JRE/JDK)
- Updated operating system root certificates
- Updated OpenSSL libraries
- Updated container base images
This is the recommended long-term solution.
Deadlines
The temporary compatibility workaround will be disabled on:
- Acceptance environment: April 1, 2026
- Production environment: May 1, 2026
After these dates, only the new certificate chain will be presented.
Clients who have not updated their trust configuration may experience TLS handshake failures or certificate validation errors.
Potential Error Messages
Depending on your platform, you may see errors such as:
- PKIX path building failed
- unable to find valid certification path to requested target
- certificate verify failed
- unknown CA
- TLS handshake failure
These indicate that the new Sectigo root or intermediate certificate is not trusted by your environment.
Recommended Approach
- Update your runtime or operating system to a currently supported version.
- Test connectivity in the acceptance environment before April 1, 2026.
- Promote changes to production before May 1, 2026.
Performing updates early reduces the risk of production outages.