The InCommon Certificate Chain

Stanford gets many of its SSL certificates from the InCommon Certificate service. Here is some information about InCommon-supplied certificates and certificate chains.

Current CA chain (Until May 2026)

As of Oct 2023, the recommended certificate chain for certificates supplied by InCommon is:

your server certificate (leaf)
     └── InCommon RSA Server CA 2 (intermediate; expires 2032)
           └── ⚠️ USERTrust RSA xSigned using AAA CA (intermediate; expires 2028)
                 └── AAA Certificate Services (root; expires 2028)

You can download these certificates here:

• InCommon RSA Server CA 2
• AAA2028-UERTrust2028-InCommon2032-bundle

New chain (After May 4, 2026)

Due to the planned distrust dates of the above USERTrust ECC/RSA intermediate CA, InCommon intermediate CA will be moved to the following new CA chain in May 4, 2026.

your server certificate (leaf)
     └── InCommon RSA OV SSL CA 3 (intermediate; expires 2035)
           └── Sectigo Public Server Authentication Root R46 (root/intermediate; xSigned using USERTrust; expires 2038)
                 └── USERTrust RSA Certification Authority (root; expires 2038)

You can download these certificates here:

• InCommon RSA OV SSL CA 3
• USERTrust2038-R46-InCommon2035-bundle

Which certificates should my application send?

We recommend sending only the "InCommon RSA Server CA 2" (before 5/4/2026) or "InCommon RSA Server CA 3" (after 5/4/2026) intermediate certificate and your server certificate. There is almost never any reason to send the root certificate.

Do I need to send the root certificate?

No. Clients connecting to your application have a collection of their own trusted certificates so if they do not already trust your root certificate nothing is changed by your application sending it. See also this Information Security Stack Exchange post.

How do I know where my certificate came from?

Your server's SSL certificate is supplied by InCommon if it is issued by the "InCommon RSA Server CA 2" certificate. To see your certificate's issuer you can use the online certificate decoder. You can also use the openssl tool:

openssl x509 -noout -in /path/to/your/server/certificate -issuer

Some useful links

• Request a certificate
• TLS 1.2 specification (has some certificate information)
• Sectigo-InCommon-Chain-Hierarchy-Intermediates-and-Roots
• InCommon Sectigo Certificate Manager CA Hierarchy (as of 4/24/2026)