IT Services Knowledge - Overview of Sectigo Certificate Authority Change for InCommon

Overview of InCommon Certificate Changes

From May through July 2026, the InCommon certificate service will be making several transitions in the root and intermediate certificates used to issue all TLS certificates. Important points:

Previously issued certificates will remain valid until their expiration
Install both the certificate and accompanying certificate chain provided by the CA. This guidance includes previously configured automatic renewals.

Guidance for May 2026 Sectigo/InCommon Certificate Change

As of May 5, 2026, the Sectigo Certificate Manager provides certificates issued through a new certificate chain. Servers that do not at minimum include the intermediate InCommon certificate in the chain provided to clients may experience SSL errors.

For most cases simply use the certificate chain provided by the CA when you receive your certificate. Install both together and you should not experience issues with any modern client. Certificates issued using ACME should automatically provide the recommended modern certificate chain unless your ACME client is configured to request a specific chain.

Sectigo refers to the default option as "Path A" or "cross-signed." If for some reason you want to use the "Path B" or "native root" please reference the technical details below.

Sectigo/InCommon Certificate Chain Technical Details

In describing the options, Sectigo uses R and E to refer to RSA and ECC, which are different cryptography options for certificates.The fundamentals are the same for both; the Sectigo root is number 46 (with no special significance), so option names use R46 and E46 interchangeably to reference the new trust hierarchy.

Both paths start the same: your certificate is signed by InCommon SSL CA (RSA or ECC) as an intermediate cert.

The difference is in what connects that certificate to a trusted root. The modern path is to rely on the self-signed Sectigo Public Server Authentication (Root R46/E46) being present in your client's trust store as a root certificate.

Modern (Native Root, Path B)

Your cert (leaf)

└─ InCommon OV SSL CA 3 (RSA or ECC, used as intermediate, part of your certificate chain)

└─ Sectigo Public Server Authentication Root R46/E46 (self-signed) (included root in most trust stores, optionally can include in certificate chain)

The legacy path uses a cross-signed Sectigo Public Server Authentication (Root R46/E46) which provides a path back to the much older USERTrust CA.

Legacy (Cross-signed, Path A)

Your cert (leaf)

└─ InCommon OV SSL CA 3 (RSA or ECC, used as intermediate, part of certificate chain)

└─ Sectigo Public Server Authentication Root R46/E46 (cross-signed root acting as intermediate, include as part of certificate chain)

└─ USERTrust RSA/ECC Certification Authority (legacy root included in most trust stores, optionally can include in certificate chain)

Specifics of how to prepare an alternate certificate chain may vary by server platform, but a common methodology is to concatenate certificates in PEM format. If you use this option, ensure that you do not make any changes to the provided PEM files. A common mistake is to open the files in a text editor to combine them, which leaves control characters behind. The safest method is to use the cat command.