The InCommon Certificate Chain

Stanford gets many of its SSL certificates from the InCommon Certificate service. Here is some information about InCommon-supplied certificates and certificate chains.

New InCommon/Sectigo chain (After May 4, 2026)

Due to the planned distrust dates of the USERTrust ECC/RSA intermediate CA, InCommon intermediate CA will be moved to the following new CA chain in May 4, 2026.

your server certificate (leaf)
     └── InCommon RSA OV SSL CA 3 (intermediate; expires 2035)
           └── Sectigo Public Server Authentication Root R46 (root/intermediate; xSigned using USERTrust; expires 2038)
                 └── USERTrust RSA Certification Authority (root; expires 2038)

You can download these certificates here:

• InCommon RSA OV SSL CA 3
• USERTrust2038-R46-InCommon2035-bundle

Which certificates should my application send?

We recommend sending only the "InCommon RSA Server CA 3" (after 5/4/2026) intermediate certificate and your server certificate. There is almost never any reason to send the root certificate.

Do I need to send the root certificate?

No. Clients connecting to your application have a collection of their own trusted certificates so if they do not already trust your root certificate nothing is changed by your application sending it. See also this Information Security Stack Exchange post.

How do I know where my certificate came from?

Your server's SSL certificate is supplied by InCommon if it is issued by the "InCommon RSA Server CA 2" certificate. To see your certificate's issuer you can use the online certificate decoder. You can also use the openssl tool:

openssl x509 -noout -in /path/to/your/server/certificate -issuer

Some useful links

• Request a certificate
• TLS 1.2 specification (has some certificate information)
• Sectigo-InCommon-Chain-Hierarchy-Intermediates-and-Roots
• InCommon Sectigo Certificate Manager CA Hierarchy (as of 4/24/2026)