Skip to end of metadata
Go to start of metadata

Intermediate certificates

Intermediate certificates provide a way for the browser to link your SSL certificate (which it doesn't trust by default) up to a root certificate that it does trust. Certificate Authorities (CA) often delegate some functions to an intermediate CA, which can in turn further delegate to another intermediate CA. Each CA in the chain must have it's own certificate issued by its parent. The information in each certificate allows the browser to build a chain of trust from your certificate to the trusted root CA.

Your web server must provide the intermediate certificates to the browser. If you are using IIS you would normally download your certificate in the PKCS7 format, which will automatically include the InCommon intermediate certificates. If you are using Apache and downloading your certificate in PEM format, you will need to follow the instructions below.

Apache configuration

Apache (version < 2.4.8) users configure intermediate certificates via the SSLCertificateChainFile directive.

Apache (version >= 2.4.8) users configure intermediate certificates via multiple SSLCertificateFile directives.

In either case you must provide:

  • The InCommon Server CA intermediate if you use an older, SHA-1 certificate.
  • The InCommon RSA Server CA and the USERTrust RSA Certification Authority if you use a SHA-2 certificate.

You can add all the intermediates to your certificate chain file without harm.

Java keystores or other special cases

Certain applications, such as java keystores, may require you to provide the root certificate in addition to the intermediate certificates.  You should obtain these from a trusted source like the certificate store on your local computer, or directly from the CA (the link to the certificate bundle is the last link at the bottom of the page).  

Archived Certificate Chains

Intermediate certificate chains for InCommon certificates issued before or on October 5, 2014 are preserved here.  

InCommon intermediate certificates for sha-2 certificates signed after October 5, 2014

Note you can usually leave out the second intermediate certificate here (USERTrust RSA Certification Authority) if your certificate was issued on or after May 31, 2017.  Recent operating systems include a root certificate with the same DN as this cert, and will automatically find the new trust chain.  Omitting this certificate has the potential to cause problems with older clients that don't receive regular root certificate updates.  But keep in mind that even including both intermediate certificates, clients not receiving regular root cert updates will all break in 2020, when the USERTrust RSA Certification Authority intermediate certificate expires (see section below for more information).  The USERTrust RSA Certification Authority intermediate certificate expires on May 30, 2020 at 03:48 Pacific Daylight Time.  


InCommon intermediate certificates for sha-2 certificates signed after October 5, 2014.
InCommon intermediate certificates for sha-2 certificates signed after October 5, 2014.  

subject= C=US, ST=MI, L=Ann Arbor, O=Internet2, OU=InCommon, CN=InCommon RSA Server CA
issuer= C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority
signature hash algorithm=sha384
-----BEGIN CERTIFICATE-----
MIIF+TCCA+GgAwIBAgIQRyDQ+oVGGn4XoWQCkYRjdDANBgkqhkiG9w0BAQwFADCB
iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl
cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV
BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTQx
MDA2MDAwMDAwWhcNMjQxMDA1MjM1OTU5WjB2MQswCQYDVQQGEwJVUzELMAkGA1UE
CBMCTUkxEjAQBgNVBAcTCUFubiBBcmJvcjESMBAGA1UEChMJSW50ZXJuZXQyMREw
DwYDVQQLEwhJbkNvbW1vbjEfMB0GA1UEAxMWSW5Db21tb24gUlNBIFNlcnZlciBD
QTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJwb8bsvf2MYFVFRVA+e
xU5NEFj6MJsXKZDmMwysE1N8VJG06thum4ltuzM+j9INpun5uukNDBqeso7JcC7v
HgV9lestjaKpTbOc5/MZNrun8XzmCB5hJ0R6lvSoNNviQsil2zfVtefkQnI/tBPP
iwckRR6MkYNGuQmm/BijBgLsNI0yZpUn6uGX6Ns1oytW61fo8BBZ321wDGZq0GTl
qKOYMa0dYtX6kuOaQ80tNfvZnjNbRX3EhigsZhLI2w8ZMA0/6fDqSl5AB8f2IHpT
eIFken5FahZv9JNYyWL7KSd9oX8hzudPR9aKVuDjZvjs3YncJowZaDuNi+L7RyML
fzcCAwEAAaOCAW4wggFqMB8GA1UdIwQYMBaAFFN5v1qqK0rPVIDh2JvAnfKyA2bL
MB0GA1UdDgQWBBQeBaN3j2yW4luHS6a0hqxxAAznODAOBgNVHQ8BAf8EBAMCAYYw
EgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH
AwIwGwYDVR0gBBQwEjAGBgRVHSAAMAgGBmeBDAECAjBQBgNVHR8ESTBHMEWgQ6BB
hj9odHRwOi8vY3JsLnVzZXJ0cnVzdC5jb20vVVNFUlRydXN0UlNBQ2VydGlmaWNh
dGlvbkF1dGhvcml0eS5jcmwwdgYIKwYBBQUHAQEEajBoMD8GCCsGAQUFBzAChjNo
dHRwOi8vY3J0LnVzZXJ0cnVzdC5jb20vVVNFUlRydXN0UlNBQWRkVHJ1c3RDQS5j
cnQwJQYIKwYBBQUHMAGGGWh0dHA6Ly9vY3NwLnVzZXJ0cnVzdC5jb20wDQYJKoZI
hvcNAQEMBQADggIBAC0RBjjW29dYaK+qOGcXjeIT16MUJNkGE+vrkS/fT2ctyNMU
11ZlUp5uH5gIjppIG8GLWZqjV5vbhvhZQPwZsHURKsISNrqOcooGTie3jVgU0W+0
+Wj8mN2knCVANt69F2YrA394gbGAdJ5fOrQmL2pIhDY0jqco74fzYefbZ/VS29fR
5jBxu4uj1P+5ZImem4Gbj1e4ZEzVBhmO55GFfBjRidj26h1oFBHZ7heDH1Bjzw72
hipu47Gkyfr2NEx3KoCGMLCj3Btx7ASn5Ji8FoU+hCazwOU1VX55mKPU1I2250Lo
RCASN18JyfsD5PVldJbtyrmz9gn/TKbRXTr80U2q5JhyvjhLf4lOJo/UzL5WCXED
Smyj4jWG3R7Z8TED9xNNCxGBMXnMete+3PvzdhssvbORDwBZByogQ9xL2LUZFI/i
eoQp0UM/L8zfP527vWjEzuDN5xwxMnhi+vCToh7J159o5ah29mP+aJnvujbXEnGa
nrNxHzu+AGOePV8hwrGGG7hOIcPDQwkuYwzN/xT29iLp/cqf9ZhEtkGcQcIImH3b
oJ8ifsCnSbu0GB9L06Yqh7lcyvKDTEADslIaeSEINxhO2Y1fmcYFX/Fqrrp1WnhH
OjplXuXE0OPa0utaKC25Aplgom88L2Z8mEWcyfoB7zKOfD759AN7JKZWCYwk
-----END CERTIFICATE-----


subject= /C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
issuer= /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
-----BEGIN CERTIFICATE-----
MIIFdzCCBF+gAwIBAgIQE+oocFv07O0MNmMJgGFDNjANBgkqhkiG9w0BAQwFADBv
MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFk
ZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBF
eHRlcm5hbCBDQSBSb290MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFow
gYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5MRQwEgYDVQQHEwtK
ZXJzZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMS4wLAYD
VQQDEyVVU0VSVHJ1c3QgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIICIjAN
BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAgBJlFzYOw9sIs9CsVw127c0n00yt
UINh4qogTQktZAnczomfzD2p7PbPwdzx07HWezcoEStH2jnGvDoZtF+mvX2do2NC
tnbyqTsrkfjib9DsFiCQCT7i6HTJGLSR1GJk23+jBvGIGGqQIjy8/hPwhxR79uQf
jtTkUcYRZ0YIUcuGFFQ/vDP+fmyc/xadGL1RjjWmp2bIcmfbIWax1Jt4A8BQOujM
8Ny8nkz+rwWWNR9XWrf/zvk9tyy29lTdyOcSOk2uTIq3XJq0tyA9yn8iNK5+O2hm
AUTnAU5GU5szYPeUvlM3kHND8zLDU+/bqv50TmnHa4xgk97Exwzf4TKuzJM7UXiV
Z4vuPVb+DNBpDxsP8yUmazNt925H+nND5X4OpWaxKXwyhGNVicQNwZNUMBkTrNN9
N6frXTpsNVzbQdcS2qlJC9/YgIoJk2KOtWbPJYjNhLixP6Q5D9kCnusSTJV882sF
qV4Wg8y4Z+LoE53MW4LTTLPtW//e5XOsIzstAL81VXQJSdhJWBp/kjbmUZIO8yZ9
HE0XvMnsQybQv0FfQKlERPSZ51eHnlAfV1SoPv10Yy+xUGUJ5lhCLkMaTLTwJUdZ
+gQek9QmRkpQgbLevni3/GcV4clXhB4PY9bpYrrWX1Uu6lzGKAgEJTm4Diup8kyX
HAc/DVL17e8vgg8CAwEAAaOB9DCB8TAfBgNVHSMEGDAWgBStvZh6NLQm9/rEJlTv
A73gJMtUGjAdBgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rIDZsswDgYDVR0PAQH/
BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wEQYDVR0gBAowCDAGBgRVHSAAMEQGA1Ud
HwQ9MDswOaA3oDWGM2h0dHA6Ly9jcmwudXNlcnRydXN0LmNvbS9BZGRUcnVzdEV4
dGVybmFsQ0FSb290LmNybDA1BggrBgEFBQcBAQQpMCcwJQYIKwYBBQUHMAGGGWh0
dHA6Ly9vY3NwLnVzZXJ0cnVzdC5jb20wDQYJKoZIhvcNAQEMBQADggEBAJNl9jeD
lQ9ew4IcH9Z35zyKwKoJ8OkLJvHgwmp1ocd5yblSYMgpEg7wrQPWCcR23+WmgZWn
RtqCV6mVksW2jwMibDN3wXsyF24HzloUQToFJBv2FAY7qCUkDrvMKnXduXBBP3zQ
YzYhBx9G/2CkkeFnvN4ffhkUyWNnkepnB2u0j4vAbkN9w6GAbLIevFOFfdyQoaS8
Le9Gclc1Bb+7RrtubTeZtv8jkpHGbkD4jylW6l/VXxRTrPBPYer3IsynVgviuDQf
Jtl7GQVoP7o81DgGotPmjw7jtHFtQELFhLRAlSv0ZaBIefYdgWOWnU914Ph85I6p
0fKtirOMxyHNwu8=
-----END CERTIFICATE-----


USERTrust Intermediate Expiration in 2020


The USERTrust RSA Certification Authority intermediate certificate expires on May 30, 2020 at 03:48 Pacific Daylight Time. This is an old intermediate certificate and modern operating systems have a new version available and won't be affected. When this certificate expires, operating systems without a new version of it will consider all InCommon certificates as "untrusted."  We don't expect very many people to be affected by this.

A list of exactly which operating systems and devices will be affected is not available.  We've been able to make some educated guesses about what might be affected, but this information is not exhaustive or verified.  If you have critical systems you should not rely on this information--check with the manufacturer or check yourself (if possible).  Instructions on how to do this are at the end of this section. 

Based on what we know, equipment released or receiving security updates after June 2010 will most likely not be affected.  Specific examples include:

  • Windows XP and later (XP was released in 2001 but received security updates through 2014)
  • Mac OS X Snow Leopard and later (Snow Leopard was released in 2009 but received security updates through 2013)
  • All iPhones

The following equipment may stop recognizing InCommon certificates after May 30, 2020:

  • Android or other phones made before 2010
  • Mac OS Leopard or earlier
  • Embedded devices (especially copy machines) made before June 2010.

Checking if you're affected

If your equipment trusts a root certificate with a subject CN of "USERTrust RSA Certification Authority" and an expiration date of January 18, 2038, it is not affected.  If you can't view the root certificates on your equipment, contact the manufacturer and see if they can provide you a list of trusted root certificates.  


  • No labels

5 Comments

  1. Hey thanks for this documentation.

    In my case though, the chain file "server-chain.crt" didn't already exist, so I ended up creating it with your 2nd block for SHA-2 post-2014.

    It totally worked. I'm on Apache 2.6 and I used the SSLCertificateChainFile directive to reference the server-chain file from the commented out example.

    Loading in the Intermediate Certificate is a pretty big deal, and it doesn't seem to be accommodated for very well outside of IIS. So I'm glad you've provided this documentation, but I believe that it should be at the forefront and presented to people at the time when they request their certificates.

  2. Why is cutting-and-pasting the only option? Why aren't there links to download these as files? 

  3. Bill,

    I think the "bundle" at the end of this page is what you want:

    https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/991/0/incommonssl-sha-2

    InCommon SSL certs are provided by Comodo.  

  4. I confirm that link works as of 2019-02-07.  I don't link directly to the bundle because I want to emphasize the importance of getting the root certs from a trusted source instead of a random link to a cert bundle (and expecting people to properly inspect the link before clicking it...although if they wouldn't check the link they may not check the address bar either).