Background
As of March 28th 2023 a new InCommon intermediate CA was issued. Starting on August 31st, 2023 all certificates issued by the Sectigo / InCommon certificate service are signed by this intermediate.
The InCommon RSA Server CA 2 (expires Nov 15, 2032) replaces the InCommon RSA Server CA (expires October 5th, 2024).
If you are using ECC certificates please use the InCommon ECC Server CA 2 (Expires Nov 15, 2032).
Recommended certificate chain for InCommon-supplied SSL certificates
RSA Certs
When using "v2" certificates issued by Sectigo / InCommon for your service/server, the recommended certificate chain for certificates supplied by InCommon is:
your server certificate
InCommon RSA Server CA 2 (intermediate; expires 2032)
USERTrust RSA Certification Authority (root; expires 2038)You can download these certificates here:
ECC Certs
When using "v2" certificates issued by Sectigo / InCommon for your service/server, the recommended certificate chain for certificates supplied by InCommon is:
your server certificate
InCommon ECC Server CA 2 (intermediate; expires 2032)
USERTrust ECC Certification Authority (root; expires 2038)You can download these certificates here:
Which certificates to send
We recommend sending only the "InCommon RSA Server CA 2" intermediate certificate and your server certificate. There is almost never any reason to send the root certificate.
Should you send the root certificate?
No. Clients connecting to your application have a collection of their own trusted certificates so if they do not already trust your root certificate nothing is changed by your application sending it.
Validating certificate source
Your server's SSL certificate is supplied by InCommon if it is issued by the "InCommon RSA Server CA 2" certificate. To see your certificate's issuer you can use the online certificate decoder. You can also use the openssl tool:
openssl x509 -noout -in /path/to/your/server/certificate -issuer