Main section
New SwissSign CA certificates
SwissSign created new CA certificates beginning of August 2021. A specific certificate hierarchy for TLS, with its own root and cross certificates and three issuing CAs, and a separate hierarchy for Secure Email (S/MIME), with root and cross certificates and three issuing CA certificates, will now each be established.
The new certificates are available for download at the following links:
TLS/SSL:
- Cross certificate of the new Root:
https://swisssign.net/cgi-bin/authority/download/80F38FD9FC82688153C1E48B97501EA9F9C61CB5 - EV-ICA:
https://swisssign.net/cgi-bin/authority/download/DA34D48E1023F46A2D6CB41FF32811DE5E01C4DE - OV-ICA:
https://swisssign.net/cgi-bin/authority/download/ACD03AC2C25755916911CC706A59388A8CAC9C3D - DV-ICA:
https://swisssign.net/cgi-bin/authority/download/3C9E527903636F4F9C811BD328700C245AEAA587
S/MIME:
- Cross certificate of the new Root:
https://swisssign.net/cgi-bin/authority/download/090CBF2AA21D04240CB2F9400A41C2CF5A72AA80 - NCP ICA:
https://swisssign.net/cgi-bin/authority/download/E1644D6ECA9EC75DC97ECD4FDC3B53F45D0F18D3 - NCP extended ICA:
https://swisssign.net/cgi-bin/authority/download/2B661A63041903A719FC35E7C3B8D1368F4E9A41 - LCP ICA:
https://swisssign.net/cgi-bin/authority/download/FA54C082A6FE96BD04C75F9F5F820C3DC3954F47
The new hierarchies will begin operating on 17 October 2021.
What do you need to do?
For certificates issued previously: Nothing will change. You do not need to do anything.
For new certificates to be issued: Systems acting as clients such as Windows will automatically download missing CA certificates when checking the validity of certificates. For these systems, it will be possible to make a seamless transition to the new hierarchies without further interaction. We still recommend, however, that you install the new CA certificates on your system (Server or Email sender). For more information on how this works for each system, see the links below:
- Apache <https://www.xolphin.com/support/Apache/Apache_from_version_2.4.8.-_Certificate_installation >
- Microsoft Internet Information Server <https://docs.microsoft.com/en-us/troubleshoot/iis/configure-intermediate-certificates >
- Microsoft Exchange < https://docs.microsoft.com/en-us/exchange/architecture/client-access/import-certificates?view=exchserver-2019 >
Doing so will also guarantee interoperability with non-standard software.
Today:
From 18 October 2021:
List of abbreviations: DV = Domain Validation, OV = Organisaton Validation, EV = Extended Validation, LCP = Lightweight Certificate Policy, NCP = Normalized Certificate Policy
The existing Gold G2 and Silver G2 root certificates are included in the ‘Truststores’ (databases of trustworthy certificates in browsers, operating systems, email clients, etc.). The new hierarchies are also connected with the prior Gold G2 root, and are thus also trustworthy.
Why is this rearrangement happening?
-
Separation of the SSL/TLS hierarchy from the Secure Email hierarchy: In accordance with browser manufacturers’ new recommendations, the two hierarchies are to be separated in future.
-
Periodic reissuance: CA certificates must be reissued periodically, since older root certificates from Truststore providers have to be deleted from the Truststores. This means that the latest security developments can be taken into account at all times and certificate customers benefit from the best possible protection.
