Does any CA still issue certificates compatible with Starfield Class 2 Certifica...

I have a fleet of legacy IoT devices that trust only the root certificate:

Starfield Class 2 Certification Authority

I need to host a temporary HTTPS endpoint for a one-time firmware update, but the devices cannot be updated until they can successfully validate a server certificate.

Does anyone know of a public CA that still issues certificates whose chain can be validated using Starfield Class 2 Certification Authority, or offers a legacy/alternate chain compatible with that root?

This is for embedded device compatibility, not browser compatibility.

This is for embedded device compatibility, not browser compatibility.

But the audience of public CAs is primarily web browsers, and so typically public CAs no longer issue certificates under roots that have been distrusted by web browsers. They might still support those roots for special uses, but they'll have no reason to offer it as a standard product – it's something that you'd need to negotiate with them specifically.

The Starfield Class 2 root seems to be operated by GoDaddy. Per crt.sh it has only Starfield intermediates, which are also operated by GoDaddy (i.e. none controlled by third parties), so no other CA or reseller can issue such certificates on their own – they must go through GoDaddy as the operator for the whole hierarchy. Contact them.

This AWS article says that GoDaddy already discontinued general operation of this root in April 2025, and AWS had to privately negotiate extended usage until December 2025. It is now six months after that (and more than a year after the general discontinuation of the root), so unless you are as large as AWS, personally I think it is unlikely that you'll get a new certificate from under that root.

But Starfield Class 2 has been used to cross-sign some replacement roots, so if any of those are still in operation, it might be possible to get a certificate under a more recent "Starfield" root CA and combine it with a cross-signed root or possibly two, serving the entire chain from your TLS server.

For example, in theory you could go Starfield Class 2 CA > cross-signed Starfield Root CA - G2 4 > cross-signed Starfield TLS Root CA - R1 5 > child Starfield TLS Intermediate CA DV - R1v1, the latter appears to be a new and actively used CA.

(The CA or reseller does not need to explicitly offer such a chain; as long as they offer a suitable current root i.e. Starfield TLS Root CA - R1 you can build the rest yourself by downloading the cross-signs from crt.sh and combining them with your purchased certificate.)

Next time, make sure your IoT firmware includes a root CA that you operate. Public CAs exist so that public audiences could agree on what to trust. But when you're in direct control of all client devices, you don't need to rely on a public CA.