What is a Sectigo RSA Domain Validation certificate?

Understanding key terminology is key to understanding SSL/TLS

For many people, SSL/TLS certificates are an afterthought. A once-every-year-or-so type of product that doesn’t need a whole of explanation beyond “how is it installed?” That’s why seeing terms like “Sectigo RSA Domain Validation” can be a little bit confusing. You might know what RSA is, maybe you know about Domain Validation. But not well enough to explain it to anyone.

In this article we’re going to discuss Sectigo RSA Domain Validation, Sectigo RSA Domain Validation certificates and we’ll go over all the terms you’ll need to understand them.

Sectigo RSA Domain Validation

Let’s start by breaking down the term, Sectigo is obviously the CA. It was known as Comodo CA until last Fall, but it’s been around over 20 years. RSA refers to the digital signing algorithm that was used to sign the certificate. And Domain Validation is the level of validation associated with certificates – it requires a simple domain control check.

Now, Sectigo RSA Domain Validation certificates refers to one of two things: it either refers to the intermediate root that was used to sign the certificate, or it is a type of Sectigo SSL (leaf) certificate – regardless if it’s a Sectigo, Positive SSL or Essential SSL certificate, it is RSA-signed and Domain Validated.

Let’s start with the Intermediate Root and work our way down the leaf certificates.

A quick trip through PKI

The trust model that SSL/TLS is built on is called PKI or Public Key Infrastructure. It’s a way for clients (internet users) to securely share a secret encryption key with a website (server) so that the two can communicate securely. Before keys can be exchanged though, the client needs to verify the server’s identity. This is where PKI comes in.

That server has an SSL certificate that it will present to the client when it arrives at the website. The client is going to check the digital signature on the certificate and follow it back to the certificate that made it. Anytime a CA issues an SSL/TLS certificate, it signs that certificate so that clients will know it’s legitimate.

Every client uses a root store that contains a collection of trusted root certificates, these root certificates have been used to sign a series of intermediate root certificates that are in turn used to sign end-user or leaf SSL certificates. To verify the leaf certificate, the client continue following signatures, from the leaf to the intermediate until it arrives at one of the roots in its root store.

Provided the SSL/TLS certificate is descendant from one of those trusted roots it too will be trusted.

Back to RSA Signatures

Ok, let’s get back to RSA Domain Validation certificates. One of the intermediate roots that Sectigo uses to sign its leaf SSL/TLS certificates is the RSA Domain Validation CA certificate. Its key is used to sign all of the Sectigo DV SSL certificates that use RSA signatures.

Now let’s talk about digital signatures for a second.

For all intents and purposes there are two different signing schemes in use today. RSA is the most common, and then there’s DSA or Digital Signing Algorithm, which is now primarily performed using Elliptic Curve Cryptography and abbreviated ECDSA.

Though it’s a bit archaic now, some people refer to SSL certificate types by their signing algorithm. So you may hear it’s an RSA SSL/TLS certificate or an ECDSA/ECC one. This refers to the type of digital signature.

RSA Domain Validation Intermediate Roots

So, circling back to Sectigo RSA Domain Validation, the Sectigo RSA Domain Validation CA certificate is the intermediate root that’s been spun up to sign Sectigo DV SSL certificates with RSA signatures. There’s also a Sectigo ECDSA Domain Validation CA certificate that signs Elliptic Curve signatures on DV certificates.

It’s likely that this is the context you were querying “Sectigo RSA Domain Validation” for on Google. If that’s the case, you’re likely getting an error that this certificate is missing, you may also be getting a certificate chaining error.

Here’s a link to the Sectigo RSA Domain Validation CA certificate.

Why you’re having this problem

Here’s why you’re having the problem: As we just discussed, in order for a leaf SSL/TLS certificate to be trusted, the client needs to be able to chain it back to its root store. But CAs almost never sign directly off their root certificates, that exposes them to undue risk – so instead they spin up intermediate root certificates and use those to sign.

This is why you’re sometimes sent an additional “Intermediate” certificate when you receive your leaf SSL/TLS certificate. Your server will need to present the client with this additional intermediate in order to build the certificate chain that’s requisite for the client to trust the leaf certificate. Some browsers will cache intermediate certificates in case a server doesn’t send everything it needs to complete the chain, so it’s possible you installed your SSL/TLS certificate months ago and this was never an issue until someone using an older browser tried to reach your site.

The fix is easy if you’re server-side, just install the Sectigo RSA Domain Validation intermediate and you should have no more problems.

If you’re client-side there is a way for you to add the Sectigo RSA Domain Validation certificate to your root store so that you can avoid this error and any others like it in the future, but first a word of caution: while this might fix your problem in the interim, you’re not helping the security ecosystem by covering for other websites’ mistakes. The best course of action would be to notify the site owner and let them fix it. It’s their problem, after all.