SSL certificates are issued under "intermediate certificates" belonging to the Certificate Authority, which build a "chain of trust" back to the CA's root certificate. All browsers and devices have a certificate store where they keep intermediate and root certificates from various Certificate Authorities, thus allowing them to cross-reference and trust SSL certificates installed on websites. 

When you first install an SSL certificate on your web server, you may be required to provide the intermediate certificates, otherwise known as the "CA Bundle" for your certificate. The CA bundle is included in the zipped folder of certificate files sent to you by the Certificate Authority. These files can also be downloaded directly from your order details page on your account dashboard. 

How to Distinguish Intermediate, Root, and CA Bundle Files

When you download your certificate files from your account, you will find several folders containing different file formats. You can read a brief overview of the files in the document named "Choosing the Right Files to Install.txt".

The root and intermediate certificates for your SSL are saved in the "CER - CRT Files" and "Plain Text Files" folders. The exact file names of each certificate is different depending on what type of SSL you have, i.e. Domain Validation SSL uses different intermediate certificates than Organization Validation SSL. 

There are also different intermediate certificates provided if you generate your SSL using an ECC algorithm, however the standard algorithm is currently RSA.

AAACertificateServices.crtRoot Certificate
USERTrustRSAAAACA.crtCross-signed root Certificate
SectigoRSADomainValidationSecureServerCA.crtDV Intermediate Certificate
SectigoRSAOrganizationValidationSecureServerCA.crtOV Intermediate Certificate
SectigoRSAExtendedValidationSecureServerCA.crtEV Intermediate Certificate


CA Bundle

Also included in your certificates folder is a .ca-bundle file. This file includes all intermediate certificates required in the chain of trust. On some servers, you may be required to install this file to complete your SSL installation.

Some servers may require you to rename this file to use a different extension, such as .crt. 

Note: Sectigo CA may not provide the CA bundle file when they email your certificates after issuance.

Code Signing Intermediate Certificates

Like SSL, Code Signing certificates also chain to intermediate CA certificates to establish trust. 

If you submit a custom CSR during your Code Signing certificate generation process, rather than using Internet Explorer to generate the certificate, you may need to download the Code Signing intermediate certificate file and combine it with your Code Signing certificate to create a usable PFX type file.

Please review our guide on Converting Code Signing to PFX for further information.

Intermediate Certificate Download for Code Signing

If your Code Signing was issued before June 1, 2021

Standard Sectigo RSA Code Signing CA [Download] 

If your Code Signing was issued on or after June 1, 2021

Standard Sectigo Public Code Signing CA R36 [Download]

Email Signing Intermediate Certificates

If you submit a custom CSR during your Email Signing certificate generation process, rather than using Internet Explorer to generate the certificate, you may need to download the Email Signing intermediate certificate file and combine it with your Email Signing certificate to create a usable PFX type file.

Please review our guide on Converting Email Signing to PFX for further information.

Intermediate Certificate Download for Email Signing

Personal Authentication Certificate (CPAC) Sectigo RSA Client Authentication and Secure Email CA  [Download]