(DC) Certificate Chain (Root and Intermediate)
Description
The following article describes what a certificate chain is, and provides the root and intermediate certificates for use with SSL certificates generated by the University of Texas at Austin certificate provider, InCommon and their partner certificate authority organization.
Certificate Chain
A certificate chain is an ordered list of certificates that includes an SSL certificate and Certificate Authority (CA) certificates, allowing the receiver to verify that the sender and all CAs in the chain are trustworthy. The chain, or path, begins with the root certificate, which signs the intermediate certificate. The intermediate certificate is then used to sign each issued SSL certificate.
Any certificate between the SSL certificate and the root certificate is called a chain certificate, or intermediate certificate. The intermediate certificate is the signer and issuer of the SSL certificate. The root certificate is the signer and issuer of the intermediate certificate. If the intermediate certificate is not installed on the server where the SSL certificate is installed, some browsers, mobile devices, applications, and other clients may not trust the SSL certificate. To ensure compatibility with all clients, the intermediate certificate must be installed.
The chain terminates with a root certificate. The root certificate is always self-signed by the certificate authority. The signatures of all certificates in the chain must be verified up to the root certificate.
For most servers, the root and intermediate certificates that make up the certificate chain are usually appended together in a single file. The root certificate is typically listed first, followed by the intermediate certificate.
Please refer to your application- or service-specific documentation for instructions on how to configure your cryptographic or encryption settings correctly.
It is considered best practice to always update your intermediate and root certificates when updating the certificate, this will help ensure you always have the correct chain.
Guidance for Upcoming Changes
Two changes affecting InCommon certificates will take effect soon. Please review the information below carefully to ensure that new and renewed InCommon certificates, as well as the request process, continue to function as expected. These changes apply only to InCommon certificates and do not affect certificates issued by other certificate authorities, such as Austin AD. Although both changes are occurring within a similar timeframe, they are separate events and should be treated independently.
Starting on May 4, 2026, the Sectigo Certificate Chain Change takes effect. Beginning on that date, all newly created or renewed certificates will require a new intermediate certificate and root certificate in the certificate chain in order to validate properly.
Starting on July 17, 2026, the InCommon Sectigo → CertiNext transition takes effect. On that date, InCommon will transition from the Sectigo certificate authority to the CertiNext certificate authority. This change will require newly created or renewed certificates to use a new intermediate certificate and root certificate in the certificate chain in order to validate properly. In addition, any workflows that use ACME or other automated processes to generate or renew certificates will need to be updated to use the new CertiNext ACME and REST API endpoints. Information regarding these new endpoints will be released closer to InCommon Sectigo → CertiNext transition.
Guidance / Recommendations
From now through May 3, 2026, if you have the option to do so, we recommend proactively renewing any SSL certificates that expire between May 4, 2026, and July 16, 2026, inclusive. This will give you at most 199 days from the date of creation or renewal before you need to take action on that certificate again.
benefit This extends your certificate beyond the Sectigo Certificate Chain Change, avoiding the need to update to a new intermediate and root certificates at that time. The renewed certificate would then expire near November 2026. (See Certificates requested ON / AFTER July 17, 2026)
Not done implication If your certificate expires before July 17, 2026, you will need to go through two separate intermediate and root certificate changes: once for the change taking effect on May 4, 2026 and again when the certificate is renewed on or after July 17, 2026 as part of the InCommon Sectigo → CertiNext transition.
Any certificates created or renewed on May 4, 2026 through July 16, 2026, will require a new intermediate and root certificates to be included in the certificate chain in order to validate properly. The intermediate and root certificates included with certificates generated prior to May 4, 2026 will not work with these new certificates.
Any certificates created or renewed on or after July 17, 2026, will require a new CertiNext intermediate and root certificates as part of the InCommon Sectigo → CertiNext transition. If you have automation in place, you will need to update those workflows to use new endpoints, credentials, and related configuration settings. Please see the InCommon Sectigo → CertiNext transition.
Certificates requested BEFORE May 4, 2026
The following root and intermediate certificates are valid for all certificates issued or generated BEFORE May 4, 2026.
Root Certificate
Intermediate Certificate
Certificates requested ON / AFTER May 4, 2026
The following root and intermediate certificate are valid on all certificates issued/generated on or AFTER May 4, 2026 and BEFORE July 17, 2026
Root Certificate
Intermediate Certificate
Certificates requested ON / AFTER July 17, 2026
The CertiNext root and intermediate certificates for certificates generated after the InCommon Sectigo → CertiNext transition are not yet available.
Please see the page InCommon Sectigo → CertiNext transition for additional information.