Category: All about SSL certificates
This article explains to you what root and intermediate certificates how they work.
In a nutshell:
Without a root certificate, the browser would have no reason to accept an SSL certificate issued by the CA.
End users should not normally modify the certificates that come with their browser. Browser developers such as Mozilla, Google, Microsoft and Apple (Safari) ensure that when updates are made, the obsolete or expired certificates are automatically replaced with newer ones.
Therefore, it is also important to ensure that you have an up-to-date operating system with the very latest security updates. If your operating system is not up to date, you may sometimes have an older root certificate with the result that newer certificates are considered "not correct" when in fact they are!
Certificate Authorities must meet very strict security requirements to ensure that their certificates are not compromised. In addition to the current root certificate, whose private key is tightly guarded, and which is not used to directly sign SSL certificates, all certificate issuers use intermediate or intermediate certificates, often one per product.
Should, which is extremely unlikely, the private key of one of these intermediate certificates be hijacked, it still guarantees the security of certificates that depend on another intermediate certificate.
Since intermediate certificates vary from product to product, it is always recommended to install them on your server before installing your own certificate.
If not, or if the intermediate certificate is not correct, your visitors' browsers may not accept the installed SSL certificate. This is a common so-called "Incomplete Chain" error.
You can download the different certificates on the websites of the Certificate Authorities.
Were not all your questions answered?
Don't worry, we will be happy to help you via a support request!