SSL certificates are issued under "intermediate certificates" belonging to the Certificate Authority, which build a "chain of trust" back to the CA's root certificate. All browsers and devices have a certificate store where they keep intermediate and root certificates from various Certificate Authorities, thus allowing them to cross-reference and trust SSL certificates installed on websites.
When you first install an SSL certificate on your web server, you may be required to provide the intermediate certificates, otherwise known as the "CA Bundle" for your certificate. The CA bundle is included in the zipped folder of certificate files sent to you by the Certificate Authority. These files can also be downloaded directly from your order details page on your account dashboard.
How to Distinguish Intermediate, Root, and CA Bundle Files
When you download your certificate files from your account, you will find several folders containing different file formats. You can read a brief overview of the files in the document named "Choosing the Right Files to Install.txt".
The root and intermediate certificates for your SSL are saved in the "CER - CRT Files" and "Plain Text Files" folders. The exact file names of each certificate is different depending on what type of SSL you have, i.e. Domain Validation SSL uses different intermediate certificates than Organization Validation SSL.
There are also different intermediate certificates provided if you generate your SSL using an ECC algorithm, however the standard algorithm is currently RSA.
AAACertificateServices.crt | Root Certificate |
USERTrustRSAAAACA.crt | Cross-signed root Certificate |
SectigoRSADomainValidationSecureServerCA.crt | DV Intermediate Certificate |
SectigoRSAOrganizationValidationSecureServerCA.crt | OV Intermediate Certificate |
SectigoRSAExtendedValidationSecureServerCA.crt | EV Intermediate Certificate |
CA Bundle
Also included in your certificates folder is a .ca-bundle file. This file includes all intermediate certificates required in the chain of trust. On some servers, you may be required to install this file to complete your SSL installation.
Some servers may require you to rename this file to use a different extension, such as .crt.
Note: Comodo CA may not provide a CA Bundle file when they email your certificate files after issuance.
Code Signing Intermediate Certificates
Like SSL, Code Signing certificates also chain to intermediate CA certificates to establish trust.
If you submit a custom CSR during your Code Signing certificate generation process, rather than using Internet Explorer to generate the certificate, you may need to download the Code Signing intermediate certificate file and combine it with your Code Signing certificate to create a usable PFX type file.
Please review our guide on Converting Code Signing to PFX for further information.
Intermediate Certificate Download for Code Signing
If your Code Signing was issued before June 1, 2021
Standard Sectigo RSA Code Signing CA [Download]
If your Code Signing was issued on or after June 1, 2021
Standard Sectigo Public Code Signing CA R36 [Download]
Email Signing Intermediate Certificates
If you submit a custom CSR during your Email Signing certificate generation process, rather than using Internet Explorer to generate the certificate, you may need to download the Email Signing intermediate certificate file and combine it with your Email Signing certificate to create a usable PFX type file.
Please review our guide on Converting Email Signing to PFX for further information.
Intermediate Certificate Download for Email Signing
Personal Authentication Certificate (CPAC) Sectigo RSA Client Authentication and Secure Email CA [Download]