Cause:
Since June 2, 2025, SECTIGO has been using a new CA-Bundle / certificate path. The new certificates must be installed on the server and an old self-signed Sectigo Root certificate needs to be disabled/removed so all clients can trust it.
Solution / Downloads:
interssl-sectigo-fix.ps1 for Windows/IIS/Exchange (MUST use "Run as administrator")
New_Sectigo_Cross.pdf Sectigo tutorial with manual steps and explanations
CA-Bundle-2025.crt
Running PowerShell Script as administrator
Start → „PowerShell“ → Right click → „Run as administrator“
cd "C:\path\to\Script" .\interssl-sectigo-fix.ps1
or
cd "$env:USERPROFILE\Downloads" .\interssl-sectigo-fix.ps1
Verify installation:
You can verify the installation at https://www.ssllabs.com/ssltest. In the test results, expand "Certificate Paths". For Path 1 and Path 2, there must be no "Extra download" shown. Path 3 is a "legacy path" for very, very old clients (SHA-1 Root) and is practically no longer relevant, so you can ignore it.
