Sectigo Root and Intermediate Certificates
In 2025 Sectigo transitioned to new Root and Intermediate certificates for TLS/SSL, S/MIME, and Code Signing. This change has been made ahead of industry-wide changes to certificate usages
All Sectigo SSL certificates are issued under the newest root/intermediate chain and include a cross-signed root (under UserTrust) for maximum compatibility.
Best Practices
Whenever required, install on your server the intermediate and root certificates that are included in your certificate download. Cross-signed intermediate certificates may be necessary for your server to fully trust the certificate chain.
Do not pin or hard-code root/intermediate certificates on your server.
What Is Cross-Signing?
To ensure backwards compatibility with legacy systems, Sectigo provides “cross-signed” root certificates. A cross-signed certificate chains up to an older, more widely accepted root certificate such as UserTrust or AAA Certificate Services. These cross-signed certificates are useful in building a complete chain of trust on older devices that do not have newer roots/intermediates in their trust stores.
What’s In My SSL Certificate Folder?
Whether you download your certificate from your account with us or from the email sent by Sectigo, you'll find these files inside:
- Root CA Certificate - USERTrustRSACertificationAuthority.crt
- Intermediate CA Certificate - SectigoPublicServerAuthenticationRootR46_USERTrust.crt
- Intermediate CA Certificate - SectigoPublicServerAuthenticationCADVR36.crt
- Your SSL Certificate - domain_com.crt
A "CA Bundle" file may also be included (My_CA_Bundle.ca-bundle) which contains the three Sectigo chain certificates. You can rename this file to change the extension as needed and install on your server as the "CA certificate."
Root and Intermediate Downloads
You should always use the root and intermediate certificates provided when downloading your certificate folder from your account, or when emailed by Sectigo.
The links below can be used to download each intermediate and root file individually. Pay attention to the Issue Date, Algorithm, and Validation Type to locate the correct files for your certificates.
Most SSL certificates use the RSA algorithm by default.
Please use the “cross-signed” roots whenever provided.
TLS/SSL Certificates
Domain Validation (DV) SSL
Before June 2, 2025
Intermediate
- RSA: Sectigo RSA Domain Validation Secure Server CA
- ECC: Sectigo ECC Domain Validation Secure Server CA
Root
After June 2, 2025
Intermediate
- RSA: Sectigo Public Server Authentication CA DV R36
- ECC: Sectigo Public Server Authentication CA DV E36
Roots:
- RSA:
- Sectigo Public Server Authentication Root R46 x USERTrust RSA CA
- USERTrust RSA Certification Authority
- ECC:
- Sectigo Public Server Authentication Root E46 x USERTrust ECC CA
- USERTrust ECC Certification Authority
Organization Validation (OV) SSL
Before May 15, 2025
Intermediate
- RSA: Sectigo RSA Domain Validation Secure Server CA
- ECC: Sectigo ECC Domain Validation Secure Server CA
Root
After May 15, 2025
Intermediate
- RSA: Sectigo Public Server Authentication CA OV R36
- ECC: Sectigo Public Server Authentication CA OV E36
Roots:
- RSA:
- ECC:
- Sectigo Public Server Authentication Root E46 x USERTrust ECC CA
- USERTrust ECC Certification Authority
Extended Validation (EV) SSL
Before April 15, 2025
Intermediate
- RSA: Sectigo RSA Extended Validation Secure Server CA
- ECC: Sectigo ECC Extended Validation Secure Server CA
Root
After April 15, 2025
Intermediate
- RSA: Sectigo Public Server Authentication CA EV R36
- ECC: Sectigo Public Server Authentication CA EV E36
Roots:
- RSA:
- ECC:
Personal Authentication Certificates (Secure Email and S/MIME)
Before March 1, 2025
Intermediate
- RSA: Sectigo RSA Client Authentication and Secure Email CA
- ECC: Sectigo ECC Client Authentication and Secure Email CA
Root:
After March 1, 2025
Intermediate
Root
Code Signing Certificates
Organization Validation (OV) or Individual Code Signing
Intermediate
Root
Extended Validation (EV) Code Signing
Intermediate
Root