...

Starting at the beginning of May 2020, the chain we get from Sectigo instead contains the root certificate with CN = AAA Certificate Services expiring at the end of 2028, and the next level is CN = USERTrust RSA Certification Authority with the same expiry date.

This is their new workaround for legacy environments, but as far as we know it will . It should not cause problems for modern browsers/operating systems, but we have got reports where including this caused problems for some users. If you do not need the compatibility with old legacy systems provided by this chain, send only the GEANT-branded sub-CA certificate (see below).

Do we really need all those certificates in the chain?

...