The SSL (leaf) certificate setup by the website owner does not automatically allow the trusting of the website to create a secure connection. For this the website owner must additionally also setup CA Intermediate certificates that can be recognised by CA Root certificates.
What is an Intermediate Certificate
An Intermediate certificate is an additional certificate setup on the website that links the website's SSL (leaf) certificate with the Root certificate of the Certifying Authority (CA) available in an app or device.
This is a longer validity certificate and CAs provide the intermediate certificate in the ca-bundle file which is provided with the website leaf certificate.
In order for the website certificate to be properly setup, the Private key, the Leaf certificate, and the Intermediate certificate should be added together.
What is a Root Certificate
Apps such as web browsers, or operating systems of devices such as PCs and smartphones ship with CA Root certificates already installed. New root certificates are added and old ones updated when the app or device receives it's regular software updates.
Root certificates is a very long validity certificate that anchors the certificate trust chain (Leaf->Intermediate->Root) within an app or device. This certificate requires no action from a website owner.
Putting It All Together
The Intermediate certificate was issued to the CA by signing it with a Root certificate. The website SSL certificate is issued by a CA after signing it with their Intermediate certificate. This is how the certificate trust chain is established.
Now lets explain how the website SSL certificate trust chain works from a web browser's point of view with an example.
When you buy a PositiveSSL certificate issued by Sectigo, you also get Sectigo's own longer validity certificate issued by USERTrust in a ca-bundle file. So when you setup the leaf and intermediate certificates on the website you get a certificate chain as below.
This USERTrust certificate is trusted by a web browser on an operating system that has the USERTrust Root certificate in it's trust store (root certificate database).
Here is a simplified sequence of events for a web browser to trust the website's leaf certificate:
- Is the website SSL (leaf) certificate valid? - web browser checks website leaf certificate.
- Is the leaf certificate issued by a trusted CA? - web browser checks the website intermediate certificate.
- Can the CA's intermediate certificate be trusted? - web browser checks the operating system's trust store for the root certificate.
If the answer to all 3 questions is Yes, the web browser knows it can open a secure channel to the website via https on port 443.