New Roots | SwissSign
A data security specialist by Swiss Post

Main section

New SwissSign CA certificates

SwissSign created new CA certificates beginning of August 2021. A specific certificate hierarchy for TLS, with its own root and cross certificates and three issuing CAs, and a separate hierarchy for Secure Email (S/MIME), with root and cross certificates and three issuing CA certificates, will now each be established. 

The new certificates are available for download at the following links: 

TLS/SSL:

S/MIME:

The new hierarchies will begin operating on 17 October 2021. 

What do you need to do?

For certificates issued previously: Nothing will change. You do not need to do anything

For new certificates to be issued: Systems acting as clients such as Windows will automatically download missing CA certificates when checking the validity of certificates. For these systems, it will be possible to make a seamless transition to the new hierarchies without further interaction. We still recommend, however, that you install the new CA certificates on your system (Server or Email sender). For more information on how this works for each system, see the links below: 
 


Doing so will also guarantee interoperability with non-standard software. 

Today:

From 18 October 2021:

List of abbreviations: DV = Domain Validation, OV = Organisaton Validation, EV = Extended Validation, LCP = Lightweight Certificate Policy, NCP = Normalized Certificate Policy

The existing Gold G2 and Silver G2 root certificates are included in the ‘Truststores’ (databases of trustworthy certificates in browsers, operating systems, email clients, etc.). The new hierarchies are also connected with the prior Gold G2 root, and are thus also trustworthy.

Why is this rearrangement happening?
  • Separation of the SSL/TLS hierarchy from the Secure Email hierarchy: In accordance with browser manufacturers’ new recommendations, the two hierarchies are to be separated in future. 

  • Periodic reissuance: CA certificates must be reissued periodically, since older root certificates from Truststore providers have to be deleted from the Truststores. This means that the latest security developments can be taken into account at all times and certificate customers benefit from the best possible protection.