Skip to content Skip to site navigation Skip to service navigation

The InCommon Certificate Chain

Stanford gets many of its SSL certificates from the InCommon Certificate service. Here is some information about InCommon-supplied certificates and certificate chains.

What is the current recommended certificate chain for InCommon-supplied SSL certificates?

As of June 2020, the recommended certificate chain for certificates supplied by InCommon is:

your server certificate
InCommon RSA Server CA (intermediate; expires 2024)
USERTrust RSA Certification Authority (root; expires 2038)

You can download these certificates here:

Which certificates should my application send?

We recommend sending only the "InCommon RSA Server CA" intermediate certificate and your server certificate. There is almost never any reason to send the root certificate.

Do I need to send the root certificate?

No. Clients connecting to your application have a collection of their own trusted certificates so if they do not already trust your root certificate nothing is changed by your application sending it. See also this Information Security Stack Exchange post.

How do I know where my certificate came from?

Your server's SSL certificate is supplied by InCommon if it is issued by the "InCommon RSA Server CA" certificate. To see your certificate's issuer you can use the online certificate decoder. You can also use the openssl tool:

openssl x509 -noout -in /path/to/your/server/certificate -issuer

Some useful links



Last modified June 15, 2020