In the following article we have compiled the most popular questions related to the root certificate.
Q: Should I install the root certificate on the server?
Answer: No, the root certificate is built into the connected device. In the case of web browsers, root certificates are supplied with the software package.
Q: How to install intermediate SSL-certificates?
Answer: Installation of intermediate SSL-certificates depends on the web server and the environment in which the installation of the certificate is performed. Apache is required to add intermediate SSL-certificates and indicated the location of the package in SSLCertificateChainFile configuration. On the other hand, Nginx required for packing intermediate SSL-certificates in a separate bundle with a final certificate.
It is necessary to study the documentation of Web server in order to determine how to correctly install the domain certificate and intermediate certificates.
Q: What happens if I do not install intermediate SSL-certificates?
Answer: If you do not install one or more intermediate SSL-certificates, it will result in a gap in the chain of certificates. You will create a gap between a particular certificate (final or intermediate) and his issuer. If device cannot find the trusted issuer of certificate, the certificate and the whole chain from intermediate certificate to final certificate will be untrusted.
As a result, your final certificate will be not trusted. Web browsers will display a notification showing that the certificate is invalid or not trusted.
Q: How to reduce the chain of certificates in my browser?
Answer: Unfortunately, it is impossible. The only way to shorten the chain of certificates is to add the intermediate certificate to the root. Ideally, you should use a certificate from a certification authority, in this case the chain will include only two certificates.
However, root certificates are packed together with the browser, and the list cannot be changed by anyone other than the browser developers.