Skip to Content [alt-c]


In reply to Fixing the Breakage from the AddTrust External CA Root Expiration

Reader F30 on 2020-05-30 at 23:09:

Are you aware that there is at least one other current Root CA which used to be cross-signed by "AddTrust External CA Root" - "COMODO RSA Certification Authority"? (, old cross-signed cert is

Additionally there is another variant of the "USERTrust RSA Certification Authority" cert ( issued by the "AAA Certificate Services" Root CA ( That one should still be valid until 2028.

However, cURL on macOS 10.14 (built against LibreSSL 2.6.5) also fails to connect to servers sending a security chain containing the latter. This is interesting, since "AddTrust External CA Root" never occurs in that chain. One example for it is


Post a Reply

Your comment will be public. To contact me privately, email me. Please keep your comment polite, on-topic, and comprehensible. Your comment may be held for moderation before being published.

(Optional; will be published)

(Optional; will not be published)

(Optional; will be published)

  • Blank lines separate paragraphs.
  • Lines starting with > are indented as block quotes.
  • Lines starting with two spaces are reproduced verbatim (good for code).
  • Text surrounded by *asterisks* is italicized.
  • Text surrounded by `back ticks` is monospaced.
  • URLs are turned into links.
  • Use the Preview button to check your formatting.