Background
Starting in 2025 (date TBD), Sectigo will begin issuing all TLS and S/MIME certificates, both RSA and ECC, from new public root certificate authorities (CAs). These new root CAs are cross-signed by the widely trusted, but now legacy, USERTrust RSA and ECC roots to ensure compatibility with older clients that may not yet include the new roots.
What this means for you:
- Custom trust stores: If your client-side code explicitly trusts a specific root CA instead of relying on the operating system’s built-in CA store (an uncommon setup), you will need to update it to trust the new root when the server certificate is renewed.
- Widespread compatibility: Most modern applications, browsers, and operating systems already trust the new certificate chain.
- No impact to existing certificates: Certificates issued before May 15, 2025, will continue to work normally.
- New certificates use new chain: Certificates issued on or after May 15, 2025, will use the new root CA chain.
Certificate chain for InCommon-supplied SSL certificates (TBD 2025)
| NOTE: The Sectigo/InCommon Certificate Manager will provide links to the appropriate chains described below when certificates are issued. Certificates issued using ACME should automatically contain the appropriate chains. |
RSA Certs
When using certificates issued by Sectigo / InCommon for your service/server, the recommended certificate chain for certificates supplied by InCommon is as follows to ensure maximum backward compatibility:
your server certificate
InCommon RSA Server CA 2 (intermediate; TBD)
Sectigo Public Server Authentication Root R46 (cross intermediate; expires January 18, 2038)You can download these certificates here:
- InCommon RSA Server CA 2
- Sectigo Public Server Authentication Root R46 (cross-signed with USERTrust Root)
ECC Certs
When using certificates issued by Sectigo / InCommon for your service/server, the recommended certificate chain for certificates supplied by InCommon is as follows to ensure maximum backward compatibility:
your server certificate
InCommon ECC Server CA 2 (intermediate; expires TBD)
Sectigo Public Server Authentication Root E46 (cross intermediate; expires January 18, 2038)You can download these certificates here:
- InCommon ECC Server CA 2
- Sectigo Public Server Authentication Root E46 (cross-signed with USERTrust Root)
Certificate chain for InCommon-supplied SSL certificates (until TBD 2025)
RSA Certs
When using certificates issued by Sectigo / InCommon for your service/server, the recommended certificate chain for certificates supplied by InCommon is:
your server certificate
InCommon RSA Server CA 2 (intermediate; expires 2032)
USERTrust RSA Certification Authority (root; expires 2038)You can download these certificates here:
ECC Certs
When using certificates issued by Sectigo / InCommon for your service/server, the recommended certificate chain for certificates supplied by InCommon is:
your server certificate
InCommon ECC Server CA 2 (intermediate; expires 2032)
USERTrust ECC Certification Authority (root; expires 2038)You can download these certificates here:
Which certificates to send
We recommend sending the cross-signed "Sectigo Public Server Authentication Root" intermediate, the "InCommon RSA Server CA 2" intermediate, and your server certificate. There is almost never any reason to send the root certificate.
Should you send the root certificate?
No. Clients connecting to your application have a collection of their own trusted certificates so if they do not already trust your root certificate nothing is changed by your application sending it.
Validating certificate source
Your server's SSL certificate is supplied by InCommon if it is issued by the "InCommon RSA Server CA 2" certificate. To see your certificate's issuer you can use the online certificate decoder. You can also use the openssl tool:
openssl x509 -noout -in /path/to/your/server/certificate -issuer