Home » Download Comodo Trusted Root Authority Certificates

Download Comodo Trusted Root Authority Certificates

Download Comodo Trusted Root Authority Certificates

Comodo Root Certificate - A trusted digital certificate issued by Comodo CA (now Sectigo) that anchors the chain of trust for SSL/TLS connections. It is pre-installed in most browsers and operating systems. Without it, browsers flag HTTPS sites as untrusted.

You can download the Comodo root certificate directly from Sectigo's official repository or from your operating system's built-in certificate store. The file is available in .crt, .pem, or .cer format depending on your platform. Most users need it to fix SSL trust errors, configure servers, or validate certificate chains in enterprise environments.

What Is a Comodo Root Certificate?

A Comodo root certificate is the top-level certificate in Sectigo's public key infrastructure (PKI) hierarchy. It signs intermediate certificates, which in turn sign end-entity SSL certificates issued to websites.

Browsers and operating systems ship with a pre-loaded list of trusted root certificates. If the Comodo root is missing or expired on a device, any site using a Comodo-issued certificate will trigger a "Certificate Not Trusted" warning.

Where Can You Download the Comodo Root Certificate?

The authoritative download source is Sectigo's certificate repository (formerly Comodo CA). Sectigo rebranded from Comodo CA in 2019 but continues to manage the same root certificates and intermediate chain files.

The two most commonly needed root certificates are:

Certificate Name Use Case Format
AAA Certificate Services Legacy compatibility, pre-2010 chains .crt / .pem
USERTrust RSA Certification Authority Modern SSL/TLS chains (2010–present) .crt / .pem
COMODO RSA Certification Authority SHA-2 intermediate anchor .crt / .pem
AddTrust External CA Root Cross-signed legacy root (expired May 2020) .crt - avoid for new installs

Note: The AddTrust External CA Root expired on 30 May 2020 per Sectigo's advisory. Do not use it for new server configurations.

How Do You Download and Install the Comodo Root Certificate on Windows?

  1. Open your browser and go to the Sectigo root certificate repository.
  2. Click the download link for USERTrust RSA Certification Authority (recommended for modern chains).
  3. Save the .crt file to a known location on your machine.
  4. Double-click the .crt file to open the Certificate dialog.
  5. Click Install Certificate → choose Local Machine → click Next.
  6. Select Place all certificates in the following store → click Browse → choose Trusted Root Certification Authorities.
  7. Click NextFinish → confirm the security prompt.

Windows will confirm the import with a success dialog. You can verify the install via certmgr.msc under Trusted Root Certification Authorities.

How Do You Install the Comodo Root Certificate on Linux or macOS?

On Ubuntu/Debian Linux:

  1. Download the .crt file from Sectigo's repository.
  2. Copy it to the system certificate directory:
  3. sudo cp comodo-root.crt /usr/local/share/ca-certificates/sudo update-ca-certificates
  4. Confirm with: ls /etc/ssl/certs/ | grep -i comodo

On macOS:

  1. Download the .crt file.
  2. Double-click it to open Keychain Access automatically.
  3. Choose the System keychain → click Add.
  4. Find the certificate, double-click it → expand Trust → set to Always Trust.
  5. Close and enter your admin password when prompted.

Why Is the Comodo Root Certificate Needed for Server Configuration?

Web servers like Apache, Nginx, and IIS require the full certificate chain - end-entity certificate, intermediate(s), and the root - to present to clients during the TLS handshake. Missing intermediate or root certificates cause chain validation failures.

According to Sectigo's knowledge base, server administrators should bundle the root and intermediate files into a single .pem chain file and reference it in the server's SSL configuration. Most clients do not require the root in the bundle since they already have it in their trust store, but including it ensures compatibility with non-standard environments.

Frequently Asked Questions

What is the difference between a root certificate and an intermediate certificate?

A root certificate is self-signed and sits at the top of the trust hierarchy. An intermediate certificate is signed by the root and issues end-entity certificates to domains. Browsers trust a site because they trust the root that ultimately signed its certificate chain.

Is Comodo CA the same as Sectigo?

Yes. Comodo CA rebranded to Sectigo in November 2018. All certificates issued under the Comodo CA brand remain valid, and the root certificates are the same. The Sectigo name now appears on newly issued certificates.

Which Comodo root certificate should I use for modern HTTPS?

Use the USERTrust RSA Certification Authority root for modern RSA chains, or USERTrust ECC Certification Authority for ECDSA chains. Both are active and widely trusted as of 2026.

What happens if the Comodo root certificate is expired?

Clients that rely solely on the expired root will show certificate errors. This affected systems in May 2020 when AddTrust External CA Root expired, per Sectigo's technical bulletin. Updated systems already transitioned to the USERTrust root chain.

Can I verify a downloaded Comodo root certificate?

Yes. Use OpenSSL to check the fingerprint:

openssl x509 -in comodo-root.crt -fingerprint -sha256 -noout

Compare the output against the official fingerprint listed on Sectigo's repository page.

Do mobile devices need the Comodo root certificate installed manually?

No, in most cases. Android and iOS ship with Sectigo/Comodo roots pre-installed. Manual installation is only required for managed enterprise devices with custom trust stores or for testing environments with non-standard configurations.

Get the Right SSL Certificate for Your Site

Compare Comodo certificates and 30+ other trusted CA options - with pricing, validation levels,
and browser compatibility side by side.

Compare SSL Certificates →