...
Do we really need all those certificates in the chain?
No. You Your webserver or similar should be fine with only sending the GEANT-branded sub-CA certificate (CN = GEANT OV RSA CA 4 or similar) configured as a chain certificate in your together with the server certificate. That The GEANT sub-CA certificate is signed by a version of CN= USERTrust RSA Certification Authority
that is present in modern browser/OS trust stores and similar.(this version is self-signed, and does not rely on CN = AAA Certificate Services
).
If you need the good version of CN= USERTrust RSA Certification Authority
to import in some software (for example newer versions of VMware that does not like the CN = AAA Certificate Services
root), you can find it via the link on Sectigo's documentation page Sectigo Chain Hierarchy and Intermediate Roots
Where can we check if our server sends the correct chain?
...