The root certificate, issued by a certification authority (CA), serves as the starting point of the certificate chain and has its own validity period, which is not influenced by the expiration of the SSL certificate.
The need to redeploy the root certificate after the SSL certificate expires depends on the following:
-
No replacement needed:
The root certificate comes pre-installed in mainstream browsers such as Google Chrome, Mozilla Firefox, Microsoft Edge, and operating systems like Windows, macOS, Android, and iOS mobile platforms. For these clients, there is no need to redeploy the root certificate when the SSL certificate or the CA root certificate expires. The CA will automatically update the root certificate for these clients.
-
Replacement needed:
For clients that do not have a pre-embedded root certificate, such as certain apps, Java clients, older browser versions, and Internet of Things devices, a change in the brand or type of the SSL certificate upon repurchase, or the expiration of the CA root certificate, may necessitate a root certificate update. In these instances, you must manually download and install the root certificate that matches the server certificate type on the affected client.
For more information on how to retrieve the root certificate, see download the root certificate.