Chained and Single Root Certificates

Every Certification Authority (CA) has its root certificate. Root certificate is self-signed certificate that identifies the issuer of digital certificates (CA). To enhance security of root certificates CAs create intermediate certificates (for example, for specific type of certificates they issue). There might be couple of intermediate certificates. The sequence of root and intermediate certificates belonging to CA is called 'chain'. Each certificate in the chain is signed by the subsequent certificate. In this scheme, webserver certificate (the one that is to be installed on webserver where user's site is hosted) is signed not by root certificate directly but by one of intermediates.

Unlikely to chained certificates, single root ones are signed directly by root certificate of CA. Currently most of CAs are abandoning this technique. According to NIST guidelines, as well as the policies of Mozilla, Microsoft and other browser and platform vendors usage of chained certificates provides higher level of security.

Browsers and other web applications usually ship root certificates only. This means that they will not recognize webserver certificate as valid unless all intermediates are installed. To make chained certificate work one would need to install all certificates from the 'chain'. Chained certificate installation is rather simple process. The installation instructions are available in manuals for webservers as well as on support sites of CAs.


We welcome your comments, questions, corrections and additional information relating to this article. Your comments may take some time to appear. Please be aware that off-topic comments will be deleted.

If you need specific help with your account, feel free to contact our Support Team. Thank you.

Need help? We're always here for you.

× Close