This site requires JavaScript to be enabled
An updated version of this article is available

InCommon Certificate Chain

12501 views

13.0 - Last modified on 2026-03-13 Revised by Jonathon Taylor

12.0 - Last modified on 2026-03-12 Revised by Jonathon Taylor

11.0 - Last modified on 2026-03-12 Revised by Jonathon Taylor

10.0 - Last modified on 2026-03-12 Revised by Jonathon Taylor

9.0 - Last modified on 2026-03-12 Revised by Gillian Hu

8.0 - Last modified on 2025-12-18 Revised by Gillian Hu

7.0 - Last modified on 2025-10-14 Revised by Jonathon Taylor

6.0 - Last modified on 2025-05-13 Revised by Jonathon Taylor

5.0 - Last modified on 2025-05-09 Revised by Jonathon Taylor

4.0 - Last modified on 2024-06-01 Revised by Jonathon Taylor

3.0 - Last modified on 2024-06-01 Revised by Jonathon Taylor

2.0 - Last modified on 2024-06-01 Revised by Jonathon Taylor

1.0 - Created on 2023-05-18 Authored by Jonathon Taylor

Background

On May 4th, 2026 InCommon will begin issuing all TLS certificates, both RSA and ECC, from new public intermediate certificate authorities (CAs). These new intermediate CAs are cross-signed by the widely trusted, but now legacy, USERTrust RSA and ECC roots as well as the modern Sectigo Public Server R46 and E46 roots to ensure compatibility with older clients that may not yet include the new roots.

Important:  Chrome and Mozilla are removing trust for the legacy USERTrust CAs.  See this article for more information:  https://www.sectigo.com/resource-library/changes-to-root-ca-hierarchies-and-trust-status#removal-of-trust-for-legacy-cas

What this means for you:

Certificate chain for InCommon-supplied SSL certificates (May 4th 2026)

NOTE:  The Sectigo/InCommon Certificate Manager will provide links to the appropriate chains described below when certificates are issued.  Certificates issued using ACME should automatically contain the appropriate chains.

RSA Certs

When using certificates issued by InCommon for your service/server, the recommended certificate chain is as follows to ensure maximum backward compatibility.  You should include all three of the certificates listed below in your application/server's TLS configuration.

your_server_leaf_certificate
InCommon RSA OV SSL CA 3 (intermediate)
Sectigo Public Server Authentication Root R46 (cross-signed, intermediate/bridge certificate)

You can download these certificates here:

ECC Certs

When using certificates issued by InCommon for your service/server, the recommended certificate chain is as follows to ensure maximum backward compatibility.  You should include all three of the certificates listed below in your application/server's TLS configuration.

your_server_leaf_certificate
InCommon ECC OV SSL CA 3 (intermediate)
Sectigo Public Server Authentication Root E46 (cross-signed, intermediate/bridge certificate)

You can download these certificates here:

About cross-signed certificates

We are recommending that the new cross-signed intermediates be used for maximum backward compatibility.  This provides two verification paths for certificates during the transition off of the USERTrust root CA.

The two verification paths

Path A: via USERTrust (cross-signed chain)

Leaf cert
  └── InCommon RSA OV SSL CA 3
        └── Sectigo Public Server Authentication Root R46 (cross-signed)
              └── USERTrust RSA Certification Authority  ← root in trust store
 

Path B: via R46 as native root

Leaf cert
  └── InCommon RSA OV SSL CA 3
        └── Sectigo Public Server Authentication Root R46 (self-signed)  ← root in trust store

Because R46 has the same Subject DN and public key in both variants, a client that has the self-signed R46 in its trust store will recognize the cross-signed cert in the chain as anchoring to that trusted root. It terminates the chain there and never needs to go up to USERTrust.

What happens when USERTrust is distrusted

Certificate chain for InCommon-supplied SSL certificates (until May 2026)

RSA Certs

When using certificates issued by InCommon for your service/server, the recommended certificate chain is as follows.  You should include the first two certificates listed below in your application/server's TLS configuration.

your_server_leaf_certificate
InCommon RSA Server CA 2 (intermediate; expires 2032)
USERTrust RSA Certification Authority (root; expires 2038)

You can download these certificates here:

ECC Certs

When using certificates issued by InCommon for your service/server, the recommended certificate chain is as follows.  You should include the first two certificates listed below in your application/server's TLS configuration.

your_server_leaf_certificate
InCommon ECC Server CA 2 (intermediate; expires 2032)
USERTrust ECC Certification Authority (root; expires 2038)

You can download these certificates here:

Which certificates to send (after May 2026)

We recommend sending the cross-signed "Sectigo  Public  Server  Authentication  Root R46 or E46" intermediate, the "InCommon ECC or RSA OV SSL CA 3" intermediate, and your server certificate. There is almost never any reason to send the legacy USERTrust root certificate.

Should you send the root CA certificate?

No. Clients connecting to your application have a collection of their own trusted certificates so if they do not already trust your root certificate nothing is changed by your application sending it.

Validating certificate source

Your server's SSL certificate is supplied by InCommon if it is issued by the "InCommon ECC or RSA" certificate. To see your certificate's issuer you can use the online certificate decoder. You can also use the openssl tool:

openssl x509 -noout -in /path/to/your/server/certificate -issuer

 

Attachments InCommonECCServerCA2.crt.txtInCommonRSAServerCA2.crt.txt
Revised by Jonathon Taylor
Last modified 2 weeks ago