Skip to main content

The CERTInext (emSign) Certificate Chain

As of July 10, 2026, Stanford issues SSL certificates through CERTInext (emSign), replacing the previous InCommon/Sectigo service.

Current certificate chain

your server certificate (leaf)
     └── InCommon Intermediate CA - OVG2C
           (intermediate; issued by Internet2; O=Internet2)
               └── emSign Root TLS CA - G1
                     (intermediate; O=eMudhra Technologies Limited)
                         └── emSign Root CA - G1
                               (root; self-signed; O=eMudhra Technologies Limited)

You can verify this chain on any certificate issued through https://certificate.stanford.edu/ using:

curl -s https://certificate.stanford.edu/cert/<your-hostname> | \
  openssl crl2pkcs7 -nocrl -certfile /dev/stdin | \
  openssl pkcs7 -print_certs -noout

Which certificates should my application send?

Send your server certificate and the InCommon Intermediate CA - OVG2C intermediate certificate. There is almost never any reason to send the root certificate.

The full chain PEM download from https://certificate.stanford.edu/cert/<hostname> already includes all necessary certificates in the correct order for Apache and nginx. No manual assembly needed.

Do I need to send the root certificate?

No. Clients connecting to your application maintain their own collection of trusted root certificates. Sending the root adds unnecessary overhead and provides no additional trust benefit. See also this Information Security Stack Exchange post.

Download formats

Certificates issued through the Stanford SSL Certificate Service are available in three formats:

Format

URL

Full chain (recommended)

https://certificate.stanford.edu/cert/<hostname>

Certificate only

https://certificate.stanford.edu/cert/<hostname>?type=cert

Intermediates + root only

https://certificate.stanford.edu/cert/<hostname>?type=chain

Use the full chain for Apache, nginx, and most web servers.

How do I check what CA issued my certificate?

openssl x509 -noout -issuer -in /path/to/your/server/certificate

Certificates issued through the new CERTInext service will show:

issuer=C=US, O=Internet2, CN=InCommon Intermediate CA - OVG2C

Certificates issued by the previous InCommon/Sectigo service will show:

issuer=CN=InCommon RSA Server CA 2, O=Internet2, C=US

or

issuer=CN=InCommon RSA OV SSL CA 3, O=Sectigo Limited, C=GB

 

Archive: Previous InCommon/Sectigo Certificate Chain

Note: The InCommon/Sectigo certificate service was decommissioned on July 17, 2026. The information below applies only to certificates issued before that date. Existing InCommon-issued certificates remain valid until their expiry date — renew them through https://certificate.stanford.edu/ when they expire.

Legacy chain (before July 17, 2026)

After May 4, 2026 (final InCommon chain):

your server certificate (leaf)
     └── InCommon RSA OV SSL CA 3 (intermediate; expires 2035)
           └── Sectigo Public Server Authentication Root R46
                 └── USERTrust RSA Certification Authority (root; expires 2038)

Before May 4, 2026:

your server certificate (leaf)
     └── InCommon RSA Server CA 2 (intermediate)
           └── USERTrust RSA Certification Authority (root)

 

Some useful links

Last modified