FAQs

Many modern applications no longer accept certificates with SHA-1 root certificates in the chain due to security concerns. If you are facing compatibility issues related to SHA-1 root certificates, you can switch to a SHA-2 Root Certificate chain. The steps outlined below will guide you through the process of implementing a SHA-2 root certificate chain, using Sectigo’s SHA-2 compliant certificates.

Certificate Chain with SHA-2 Root CA

To resolve issues related to the presence of SHA-1 certificates in your chain, you can use the following SHA-2 Root Certificate chain. This chain is comprised of three certificates: the end entity certificate, an intermediate certificate, and the SHA-2 root certificate.

Chain Path Overview:

1. End Entity Certificate
• The certificate issued to the end-user or organization.
2. Sectigo RSA Organization Validation Secure Server CA
• This is the Intermediate Certificate, valid until Dec 31, 2030.
3. UserTrust RSA Certification Authority
• This is the Root Certificate, valid until Jan 18, 2038.

Steps to Apply the SHA-2 Root Certificate Chain

1. Copy and Save the Certificates:
• You can either save the certificates as a .crt file using the notepad method or download them directly from the links provided below.
2. Downloading Certificates:
• UserTrust RSA Certification Authority Root Certificate (SHA-2):
• Download link: Download Root Certificate
• Sectigo RSA Organization Validation Secure Server CA Intermediate Certificate:
• For details on the intermediate certificates, you can visit the following:
• Sectigo Chain Hierarchy and Intermediate Roots
• Sectigo Intermediate Certificates
3. Install the Certificates:
• Save the certificates from the above URLs or copy the certificate content into a .crt file.
• Install the following certificates in the correct order:

1. End Entity Certificate (Your organization's or user’s certificate)
2. Sectigo RSA Organization Validation Secure Server CA - Intermediate (Valid until Dec 31, 2030)
3. UserTrust RSA Certification Authority - SHA2 Root (Valid until Jan 18, 2038)

4. Important Note:
• Do NOT include the UserTrust RSA Cross-Signed Intermediate issued by AAA Certificate Services in this chain. Including the cross-signed certificate could cause compatibility issues with certain applications.

Additional Notes:

• If you prefer to create your own certificate files, copy the certificate contents provided in the URLs above into Notepad, then save the files with the .crt extension.
• Ensure you follow the correct installation order as the chain hierarchy depends on it.

By following these steps, you can resolve compatibility issues and ensure that your applications recognize the SHA-2 certificate chain, preventing any security-related rejections.

For further assistance or troubleshooting, you can refer to Sectigo’s official knowledge base or contact support.