Where do I get a CA Bundle file?

CA Bundle file contains root and intermediate certificates. These certificates build the chain of trust for your domain certificate.

The Bundle files differ by the validation level of your certificate and the key type in the CSR you used to activate your certificate.

The CA Bundle file can be downloaded from your SSLs.com account. The CA Bundle file has .ca-bundle extension.

Alternatively, feel free to use the CA Bundle files from this article.

Sectigo SHA2 Bundles under the cross-signed root

These are current default CA Bundles. Sectigo CA sends these in the fulfillment emails since January 14, 2019.

Domain Validation

Contain “Sectigo RSA Domain Validation Secure Server CA”/”Sectigo ECC Domain Validation Secure Server CA” intermediate certificate (depending on the key encryption method), signed by “USERTrust RSA Certification Authority” SHA-2 root certificate, cross-signed by the old “AddTrust External CA Root” SHA1 root certificate (not included to the file).

Sectigo RSA DV Bundle

Sectigo ECC DV Bundle

Organization Validation

Contain “Sectigo RSA Organization Validation Secure Server CA”/”Sectigo ECC Organization Validation Secure Server CA” intermediate certificate (depending on the key encryption method), signed by “USERTrust RSA Certification Authority” SHA-2 root certificate, cross-signed by the old “AddTrust External CA Root” SHA1 root certificate (not included to the file).

Sectigo RSA OV Bundle

Sectigo ECC OV Bundle

Extended Validation

Contain “Sectigo RSA Extended Validation Secure Server CA”/”Sectigo ECC Extended Validation Secure Server CA” intermediate certificate (depending on the key encryption method), signed by “USERTrust RSA Certification Authority” SHA-2 root certificate, cross-signed by the old “AddTrust External CA Root” SHA1 root certificate (not included to the file).

Sectigo RSA EV Bundle

Sectigo ECC EV Bundle

 

Important: There are two versions of the “USERTrust RSA Certification Authority” SHA-2 root certificate at the time being. One is cross-signed by the old “AddTrust External CA Root” SHA1 root certificate and is included to the default CA Bundles (see above). This is done so that the browsers get acquainted to the new root certificate little by little. The old root is widely trusted, and thus, it is a guarantee for the browsers that the whole chain can be trusted.

It is expected that by the time the old “AddTrust External CA Root” root certificate expires (on May 2020) the new root will become trusted by most of the browsers. Then, the chains without the expired root certificate will become effective, see below.

 

Sectigo SHA2 Bundles under SHA2 root (not cross-signed)

Domain Validation

Contain “Sectigo RSA Domain Validation Secure Server CA”/”Sectigo ECC Domain Validation Secure Server CA” intermediate certificate (depending on the key encryption method), signed by “USERTrust RSA Certification Authority” SHA-2 root certificate.

Sectigo RSA DV SHA2 Bundle under SHA2 root

Sectigo ECC DV SHA2 Bundle under SHA2 root

Organization Validation

Contain “Sectigo RSA Organization Validation Secure Server CA”/”Sectigo ECC Organization Validation Secure Server CA” intermediate certificate (depending on the key encryption method), signed by “USERTrust RSA Certification Authority” SHA-2 root certificate.

Sectigo RSA OV SHA2 Bundle under SHA2 root

Sectigo ECC OV SHA2 Bundle under SHA2 root

Extended Validation

Contain “Sectigo RSA Extended Validation Secure Server CA”/”Sectigo ECC Extended Validation Secure Server CA” intermediate certificate (depending on the key encryption method), signed by “USERTrust RSA Certification Authority” SHA-2 root certificate.

Sectigo RSA EV SHA2 Bundle under SHA2 root

Sectigo ECC EV SHA2 Bundle under SHA2 root

 

Old Comodo CA Bundles (SHA2 under SHA1 root)

Below are the Bundles that were supplied along with the certificates before January 14, 2019. These are in fact outdated.

Note: It is recommended to reissue the certificate (if it hasn’t been reissued since January 14, 2019) and re-install it with the up-to-date Bundle file.

Domain Validation

Contain “COMODO RSA Domain Validation Secure Server CA”/”COMODO ECC Domain Validation Secure Server CA” (depending on the key encryption method) intermediate certificate, signed by “COMODO RSA Certification Authority” intermediate certificate, issued by the “AddTrust External CA Root” SHA1 root certificate.

Comodo RSA DV Bundle

Comodo ECC DV Bundle

Organization Validation

Contain “COMODO RSA Organization Validation Secure Server CA”/”COMODO ECC Organization Validation Secure Server CA” (depending on the key encryption method) intermediate certificate, signed by “COMODO RSA Certification Authority” intermediate certificate, issued by the “AddTrust External CA Root” SHA1 root certificate.

Comodo RSA OV Bundle

Comodo ECC OV Bundle

Extended Validation

Contain “COMODO RSA Extended Validation Secure Server CA”/”COMODO ECC Extended Validation Secure Server CA” (depending on the key encryption method) intermediate certificate, signed by “COMODO RSA Certification Authority” intermediate certificate, issued by the “AddTrust External CA Root” SHA1 root certificate.

Comodo RSA EV Bundle

Comodo ECC EV Bundle