If your current certificate chain is expiring, you’ll need replace it with one of the chain files on the downloads page. The Testing Your Certificate Chain page shows how to check certificate and its chain. The first certificate in the chain (you may see it labelled. Additional Certificate #2) shows either “Sectigo RSA Organization Validation Secure Server CA” or “COMODO RSA Organization Validation Secure Server CA”. If you see either of those Certificate Authorities and any certificate in the change is expiring soon, you’ll need to replace the chain with one of the chains below.
Check the Issuer of Your SSLCertificateFile
You can use the openssl command to check the Issuer of your certificate. For example, you might have:
SSLCertificateFile /etc/httpd/conf.d/ssl/server.crt
Use openssl x509 to see the important details:
# openssl x509 -in server.crt -noout -subject -issuer -dates -sha1 -fingerprint subject= /C=CA/postalCode=M5S 3J1/ST=Ontario/L=Toronto/street=255 Huron St./ O=Governing Council of the University of Toronto/OU=ITS - IS/CN=my.host.utoronto.ca issuer= /C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Organization Validation Secure Server CA notBefore=Mar 2 00:00:00 2020 GMT notAfter=Mar 2 23:59:59 2022 GMT SHA1 Fingerprint=95:1A:8E:45:26:3A:38:45:D0:71:29:3A:C5:35:58:E2:12:65:F8:71
This output shows the certificate for “my.host.utoronto.ca” is issued by Sectigo (and not COMODO). So the replacement is Sectigo-AAA-chain.pem. If the issuer is “COMODO RSA Organization Validation Secure Server CA”, then the replacement is COMODOchain.pem.
COMODO RSA Organization Validation Secure Server
If your certificate is issued by “COMODO RSA Organization Validation Secure Server CA”, download COMODO-chain.pem
Sectigo RSA Organization Validation Secure Server CA
If your certificate is issue by “Sectigo RSA Organization Validation Secure Server CA”, download Sectigo-AAA-chain.pem