Where do I get a CA Bundle file?

CA Bundle file contains root and intermediate certificates. These certificates build the chain of trust for your domain certificate.

The Bundle files differ by the validation level of your certificate and the key type in the CSR you used to activate your certificate.

The CA Bundle file can be downloaded from your SSLs.com account. The CA Bundle file has .ca-bundle extension.

Alternatively, feel free to use the CA Bundle files from this article.

Sectigo SHA2 Bundles under the cross-signed root

These are current default CA Bundles. Sectigo CA sends these in the fulfillment emails since January 14, 2019.

Domain Validation

Contains “Sectigo RSA Domain Validation Secure Server CA”/”Sectigo ECC Domain Validation Secure Server CA” intermediate certificate (depending on the key encryption method), signed by “USERTrust RSA Certification Authority” SHA-2 root certificate, cross-signed by the old “AddTrust External CA Root” SHA1 root certificate (not included to the file).

Organization Validation

Contains “Sectigo RSA Organization Validation Secure Server CA”/”Sectigo ECC Organization Validation Secure Server CA” intermediate certificate (depending on the key encryption method), signed by “USERTrust RSA Certification Authority” SHA-2 root certificate, cross-signed by the old “AddTrust External CA Root” SHA1 root certificate (not included to the file).

Extended Validation

Contains “Sectigo RSA Extended Validation Secure Server CA”/”Sectigo ECC Extended Validation Secure Server CA” intermediate certificate (depending on the key encryption method), signed by “USERTrust RSA Certification Authority” SHA-2 root certificate, cross-signed by the old “AddTrust External CA Root” SHA1 root certificate (not included to the file).

 

Important: There are two versions of the “USERTrust RSA Certification Authority” SHA-2 root certificate at the time being. One is cross-signed by the old “AddTrust External CA Root” SHA1 root certificate and is included to the default CA Bundles (see above). This is done so that the browsers get acquainted to the new root certificate little by little. The old root is widely trusted, and thus, it is a guarantee for the browsers that the whole chain can be trusted.

It is expected that by the time the old “AddTrust External CA Root” root certificate expires (on May 2020) the new root will become trusted by most of the browsers. Then, the chains without the expired root certificate will become effective, see below.

 

Sectigo SHA2 Bundles under SHA2 root (not cross-signed)

Domain Validation

Contains “Sectigo RSA Domain Validation Secure Server CA”/”Sectigo ECC Domain Validation Secure Server CA” intermediate certificate (depending on the key encryption method), signed by “USERTrust RSA Certification Authority” SHA-2 root certificate.

Organization Validation

Contains “Sectigo RSA Organization Validation Secure Server CA”/”Sectigo ECC Organization Validation Secure Server CA” intermediate certificate (depending on the key encryption method), signed by “USERTrust RSA Certification Authority” SHA-2 root certificate.

Extended Validation

Contains “Sectigo RSA Extended Validation Secure Server CA”/”Sectigo ECC Extended Validation Secure Server CA” intermediate certificate (depending on the key encryption method), signed by “USERTrust RSA Certification Authority” SHA-2 root certificate.

 

New Sectigo Bundles Cross-signed with AAA Root

Domain Validation

Contains “Sectigo RSA Domain Validation Secure Server CA”/”Sectigo ECC Domain Validation Secure Server CA”, signed by “USERTrust RSA Certification Authority” (new)/USERTrust ECC Certification Authority” (new), cross-signed by “AAA Certificate Services”.

Organization Validation

Contains “Sectigo RSA Organization Validation Secure Server CA”/”Sectigo ECC Organization Validation Secure Server CA”, signed by “USERTrust RSA Certification Authority” (new)/USERTrust ECC Certification Authority” (new), cross-signed by “AAA Certificate Services”.

Extended Validation

Contains “Sectigo RSA Extended Validation Secure Server CA”/”Sectigo ECC Extended Validation Secure Server CA”, signed by “USERTrust RSA Certification Authority” (new)/USERTrust ECC Certification Authority” (new), cross-signed by “AAA Certificate Services”.

Old Comodo CA Bundles (SHA2 under SHA1 root)

Below are the Bundles that were supplied along with the certificates before January 14, 2019. These are in fact outdated.

Note: It is recommended to reissue the certificate (if it hasn’t been reissued since January 14, 2019) and re-install it with the up-to-date Bundle file.

Domain Validation

Contain “COMODO RSA Domain Validation Secure Server CA”/”COMODO ECC Domain Validation Secure Server CA” (depending on the key encryption method) intermediate certificate, signed by “COMODO RSA Certification Authority” intermediate certificate, issued by the “AddTrust External CA Root” SHA1 root certificate.

Comodo RSA DV Bundle

Comodo ECC DV Bundle

Organization Validation

Contain “COMODO RSA Organization Validation Secure Server CA”/”COMODO ECC Organization Validation Secure Server CA” (depending on the key encryption method) intermediate certificate, signed by “COMODO RSA Certification Authority” intermediate certificate, issued by the “AddTrust External CA Root” SHA1 root certificate.

Comodo RSA OV Bundle

Comodo ECC OV Bundle

Extended Validation

Contain “COMODO RSA Extended Validation Secure Server CA”/”COMODO ECC Extended Validation Secure Server CA” (depending on the key encryption method) intermediate certificate, signed by “COMODO RSA Certification Authority” intermediate certificate, issued by the “AddTrust External CA Root” SHA1 root certificate.

Comodo RSA EV Bundle

Comodo ECC EV Bundle