Dealing with Expired CA of “AddTrust External CA”

Removing Expired Certificate Authority and Steps are given as per details. Comodo’s Root Certificate “AddTrust External CA” Expired On 30th May 2020. Though this should not have an impact on your web application's security. I would like to share few things that I came across in few days.

Though the “cross-root” certificate has Signed your Leaf Certificate. If your server has “AddTrust External CA” it would serve the same to the client. This issue happens when your CA bundle file or your Certificate Store has “AddTrust External CA”. After giving a solution for a couple of the person about this problem. I found that it would be better if I can write a small blog about this one.

You can check if your certificate is affected by this update. You can use the valuable tool created by one of my favorite entrepreneurs in the SSL/PKI industry. You can check

You can download "AAACertificateServices.crt" from here

How to remove “AddTrust External CA” in Windows Server(GUI):

1. Log in to Windows Server as Administrator or Admin Equal Roles
2. Click on Start and Go to “Run”
3. Type “mmc” and hit “OK”
4. Click on “Files” -> “Add/Remove Snap-ins”
5. In “Add/Remove Snap-ins” Window Select “Certificates”
6. Click "Add"
7. When you click “Add”. There would be another popup

8. Select “Computer Account” Click “Next”. Select “Local Computer” and click “Finish.”
9. Click “OK”

10. Expand “Certificates”
11. After that, there will be many options to Expand You have to expand “Trusted Root Certificate Authorities”
12 Click “Certificates”

13. If you have “AAA Certificate Services” that is good but If you don’t have “AAA Certificates Services” following are the steps:
=> Right Click on Certificates
=> Click on “All Tasks” -> “Import”

=> Click “Next”

=> Click “Browse” and select the “AAACertificateServices.crt” file after that Click “Next”

=> On Certificate Store Window make sure that “Trusted Root Certificate Authorities” is visible Click “Next”

=>Click Finish to install the certificate

Following are steps to remove "AddTrust External CA"

1) Right Click on "AddTrust External CA"

2) Select Delete, When deleting CA you will get following message Click "Yes"

Please note that whenever you Add/Delete/Update "Trusted Root Certificate Authorities" You need to restart the server. Once, you restart the server the issue with Expired CA Certificate has been fixed.

If you do not want to do this using GUI, the following commands will help you:

1) certutil -addstore -f "ROOT" AAACertificateServices.crt

2) certutil -delstore “ROOT” 01

Following is command will help you to root CA Certificates in your Windows Certificate Stores directly from Windows Update:

certutil -generateSSTFromWU roots.sst

You need to reboot your server after running above commands.

Once the server is online again, everything is working fine. These steps are suitable for Windows 2008/Windows 2012/Windows 2016/Windows 2019.

If you are not using Windows Platform but using Linux and using Apache/Nginx, you need to do the following steps:


  1. Copy your CA to dir /usr/local/share/ca-certificates/
  1. Use command: sudo cp AAACertificateServices.crt /usr/local/share/ca-certificates/foo.crt
  1. Update the CA store: sudo update-ca-certificates
  1. Remove your CA.
  1. Update the CA store: sudo update-ca-certificates --fresh


  1. Install the ca-certificates package: yum install ca-certificates
  1. Enable the dynamic CA configuration feature: update-ca-trust force-enable
  1. Add it as a new file to /etc/pki/ca-trust/source/anchors/: cp AAACertificateServices.crt /etc/pki/ca-trust/source/anchors/
  1. Use command: update-ca-trust extract

If you are running JRE/JDK that uses, their own Certificate Store. You need to update it with new Certificate Authority using following command:

Locate the JRE installation directory and update it CACerts Store with

keytool -import -keystore cacerts -trustcacerts -file AAACertificateServices.crt -storepass changeit

This are steps that I did for various of my test environment and it is working fine. Please feel free to write to me if you have any Question regarding the same.

1 Comment

Leave a Comment