University of Strathclyde Digital Certificates

This page contains information about digital certificates and their respective issuing Certificate Authorities. It may be used to verify certificate information being offered by services.

If you note any discrepancies, either on this page, or with servers purporting to be related to the University but not covered by this information, or you have any other questions, then please let us know via certmaster@strath.ac.uk.

Local (Strathclyde) Certificate Authorities

Strathclyde Network Support Root CA 1

This root certificate has been used to issue local server certificates since January 2016.

It is the root certificate used to sign the eduroam 802.1X RADIUS server certificate.

• Subject (Issued to): /C=UK/ST=Scotland/O=The University Of Strathclyde/OU=Information Services/CN=University Of Strathclyde Network Support Root CA 1
• Issued By: /C=UK/ST=Scotland/O=The University Of Strathclyde/OU=Information Services/CN=University Of Strathclyde Network Support Root CA 1
• Valid not before: Jan 12 15:20:06 2016 GMT
• Valid not after: Jan 4 15:20:06 2046 GMT
• SHA1 fingerprint (thumbprint): CB:BF:F5:C0:AB:77:5F:83:B1:0F:D4:43:17:B6:04:17:B3:9D:0F:C8
• Download: [PEM]

Eduroam 802.1X certificates

eduroam.strath.ac.uk

From 10^th Jan 2021, the following certificate is in use for 802.1X authentication via eduroam:

• Subject (Issued to): /C=UK/ST=Scotland/L=Glasgow/O=The University Of Strathclyde/OU=Information Services/CN=eduroam.strath.ac.uk
• Issued By: /C=UK/ST=Scotland/O=The University Of Strathclyde/OU=Information Services/CN=University Of Strathclyde Network Support Root CA 1
• Serial: B4:43:69:B8:B7:76:8C:3E
• Valid not before: Jan 10 22:48:15 2021 GMT
• Valid not after: Aug 7 22:48:15 2026 GMT
• SHA1 fingerprint (thumbprint): 2B:91:C2:12:83:8A:10:92:27:8D:08:C7:AE:4C:40:66:D1:AD:33:D1
• SHA256 fingerprint (thumbprint): 14:AA:B3:10:BA:DF:C3:79:DA:5E:14:DD:94:DD:24:FA:68:0E:49:88:93:9B:F7:C0:83:B6:F2:F6:A4:EF:53:12
• Download: [PEM]

Commercial certificates via Sectigo (arrangement from 2025)

The University has a contract with Sectigo for 2 years from April 2025 for TLS certificates.

Certificate chain:

• AAA Certificate Services [root]
  • USERTrust RSA Certification Authority [subordinate CA 1]
    • Sectigo RSA Organizational Validation Secure Server CA [subordinate CA 2]
      • Server certificate

Note that for certificates issued from May 15 2025, the Root and Subordinate CA certificates for RSA based keys will change to be:

• Root CA: Sectigo Public Server Authentication Root R46 (https://crt.sh/?d=4256644734)
• Subordinate CA: Sectigo Public Server Authentication CA OV R36 (https://crt.sh/?d=4267304698)

Note that on 14th April, the CA/Browser Forum voted to amend the TLS Baseline Requirements, setting a schedule for the shorterning of the lifetime of TLS certs:

• Until March 15, 2026, the maximum lifetime for a TLS certificate is 398 days
• As of March 15, 2026, the maximum lifetime for a TLS certificate will be 200 days
• As of March 15, 2027, the maximum lifetime for a TLS certificate will be 100 days
• As of March 15, 2029, the maximum lifetime for a TLS certificate will be 47 days

AAA Certificate Services

This root certificate is used by Sectigo to sign the first subordinate CA (intermediate) certificate, and is signed by itself.

• Subject (Issued to): /C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services
• Issued By: /C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services
• Serial: 01
• Valid not before: Jan 1 00:00:00 2004 GMT
• Valid not after: Dec 31 23:59:59 2028 GMT
• SHA1 fingerprint (thumbprint): D1:EB:23:A4:6D:17:D6:8F:D9:25:64:C2:F1:F1:60:17:64:D8:E3:49
• SHA256 fingerprint (thumbprint): D7:A7:A0:FB:5D:7E:27:31:D7:71:E9:48:4E:BC:DE:F7:1D:5F:0C:3E:0A:29:48:78:2B:C8:3E:E0:EA:69:9E:F4
• First line of PEM: MIIEMjCCAxqgAwIBAgIBATANBgkqhkiG9w0BAQUFADB7MQswCQYDVQQGEwJHQjEb
• Download: [PEM (local)] | [DER (from Sectigo (Comodo))] | [detailed cert info]

USERTrust RSA Certification Authority

This first subordinate CA (intermediate) certificate is used by Sectigo to sign the second subordinate CA (intermediate) certificate, and is itself signed by the root certificate.

• Subject (Issued to): /C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
• Issued By: /C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services
• Serial: 3972443AF922B751D7D36C10DD313595
• Valid not before: Mar 12 00:00:00 2019 GMT
• Valid not after: Dec 31 23:59:59 2028 GMT
• SHA1 fingerprint (thumbprint): D8:9E:3B:D4:3D:5D:90:9B:47:A1:89:77:AA:9D:5C:E3:6C:EE:18:4C
• SHA256 fingerprint (thumbprint): 68:B9:C7:61:21:9A:5B:1F:01:31:78:44:74:66:5D:B6:1B:BD:B1:09:E0:0F:05:CA:9F:74:24:4E:E5:F5:F5:2B
• First line of PEM: MIIFgTCCBGmgAwIBAgIQOXJEOvkit1HX02wQ3TE1lTANBgkqhkiG9w0BAQwFADB7
• Download: [PEM (local)] | [DER (from Sectigo (Comodo))] | [detailed cert info]

Sectigo RSA Organization Validation Secure Server CA

This second subordinate CA (intermediate) certificate is used by Sectigo to sign the server certificate, and is itself signed by the first subordinate CA (intermediate) certificate.

• Subject (Issued to): subject= C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Organization Validation Secure Server CA
• Issued By: C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority, CN=USERTrust RSA Certification Authority
• Serial: 137D539CAA7C31A9A433701968847A8D
• Valid not before: Nov 2 00:00:00 2018 GMT
• Valid not after: Dec 31 23:59:59 2030 GMT
• SHA1 fingerprint (thumbprint): 40:CE:F3:04:6C:91:6E:D7:AE:55:7F:60:E7:68:42:82:8B:51:DE:53
• SHA256 fingerprint (thumbprint): 72:A3:4A:C2:B4:24:AE:D3:F6:B0:B0:47:55:B8:8C:C0:27:DC:CC:80:6F:DD:B2:2B:4C:D7:C4:77:73:97:3E:C0
• First line of PEM: MIIGGTCCBAGgAwIBAgIQE31TnKp8MamkM3AZaIR6jTANBgkqhkiG9w0BAQwFADCB
• Download: [PEM (local)] | [detailed cert info]

JISC Certificate Service Certificates - Sectigo (legacy)

The JISC Certificate Service supplies TLS certificates via an arrangement with Sectigo via a GEANT framework. This agreement has been active since 13th November 2020, but was prematurely terminated and is no longer active for new certificates since early January 2025. Certificates issued under this arrangement continue to be useable until their lifetime is reached one year after issue.

Further information about the JISC Certificate Service is available at https://www.jisc.ac.uk/certificate-service.

The root and chaining (intermediate) certificates used for JCS certificates issued by Sectigo are available below.

Certificate chain:

• AAA Certificate Services
  • USERTrust RSA Certification Authority
    • GEANT OV RSA CA 4
      • Server certificate

AAA Certificate Services

This root certificate is used by Sectigo to sign the first intermediate certificate, and is signed by itself.

• Subject (Issued to): /C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services
• Issued By: /C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services
• Serial: 01
• Valid not before: Jan 1 00:00:00 2004 GMT
• Valid not after: Dec 31 23:59:59 2028 GMT
• SHA1 fingerprint (thumbprint): D1:EB:23:A4:6D:17:D6:8F:D9:25:64:C2:F1:F1:60:17:64:D8:E3:49
• SHA256 fingerprint (thumbprint): D7:A7:A0:FB:5D:7E:27:31:D7:71:E9:48:4E:BC:DE:F7:1D:5F:0C:3E:0A:29:48:78:2B:C8:3E:E0:EA:69:9E:F4
• First line of PEM: MIIEMjCCAxqgAwIBAgIBATANBgkqhkiG9w0BAQUFADB7MQswCQYDVQQGEwJHQjEb
• Download: [PEM (local)] | [DER (from Sectigo (Comodo))] | [detailed cert info]

USERTrust RSA Certification Authority

This first intermediate certificate is used by Sectigo to sign the second intermediate certificate, and is itself signed by the root certificate.

• Subject (Issued to): /C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
• Issued By: /C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services
• Serial: 3972443AF922B751D7D36C10DD313595
• Valid not before: Mar 12 00:00:00 2019 GMT
• Valid not after: Dec 31 23:59:59 2028 GMT
• SHA1 fingerprint (thumbprint): D8:9E:3B:D4:3D:5D:90:9B:47:A1:89:77:AA:9D:5C:E3:6C:EE:18:4C
• SHA256 fingerprint (thumbprint): 68:B9:C7:61:21:9A:5B:1F:01:31:78:44:74:66:5D:B6:1B:BD:B1:09:E0:0F:05:CA:9F:74:24:4E:E5:F5:F5:2B
• First line of PEM: MIIFgTCCBGmgAwIBAgIQOXJEOvkit1HX02wQ3TE1lTANBgkqhkiG9w0BAQwFADB7
• Download: [PEM (local)] | [DER (from Sectigo (Comodo))] | [detailed cert info]

GEANT OV RSA CA 4

This second intermediate certificate is used by Sectigo to sign the server certificate, and is itself signed by the first intermediate certificate.

• Subject (Issued to): subject= /C=NL/O=GEANT Vereniging/CN=GEANT OV RSA CA 4
• Issued By: /C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
• Serial: DA43BD139BD258BB4DD61CACC4F3DBE0
• Valid not before: Feb 18 00:00:00 2020 GMT
• Valid not after: May 1 23:59:59 2033 GMT
• SHA1 fingerprint (thumbprint): C2:82:6E:26:6D:74:05:D3:4E:F8:97:62:63:6A:E4:B3:6E:86:CB:5E
• SHA256 fingerprint (thumbprint): 37:83:4F:A5:EA:40:FB:F7:B6:11:96:95:59:62:E1:CA:05:58:87:24:35:E4:20:66:53:D3:F6:20:DD:8E:98:8E
• First line of PEM: MIIEMjCCAxqgAwIBAgIBATANBgkqhkiG9w0BAQUFADB7MQswCQYDVQQGEwJHQjEb
• Download: [PEM (local)] | [detailed cert info]

Legacy JISC Certificate Service and other authorities information

Information on previous iterations of the JISC Certificate Service is now available here.