To ensure normal HTTPS communication between clients and your web server, you must install the root certificate and intermediate certificates when you install an SSL certificate on your web server. This topic describes how to download root certificates and intermediate certificates.

Root certificates

Scenarios

If your web services are accessed by using browsers, you do not need to install root certificates because the root certificates are built into the browsers. In this scenario, you need to only install the SSL certificates that are issued by certificate authorities (CAs) on your web server. This way, your web server can communicate with the browsers over HTTPS.

If your web services are accessed by using clients such as Java clients, you must install root certificates on the clients because no root certificates are built into the clients. If you do not install the root certificates, the clients cannot verify the information encrypted by your web server. For example, if a DigiCert organization validated (OV) SSL certificate is installed on your web server, the clients must be installed with DigiCert OV root certificates before they can communicate with your web server over HTTPS.

Warning After you install root certificates on clients, the clients can verify the identity of the web server, but other issues may occur due to various reasons, such as expired root certificates or policy changes. For example, the clients fail to access the web server, or the system notifies you that the connection established from a client is not secure. This method is not recommended. We recommend that you implement client verification by using the default Truststore of the clients and enable strong domain name verification to improve the security of the apps. If you still want to install root certificates on apps or Java clients, you can download the required root certificates from the links that are provided in the "Download links for root certificates" section of this topic.

Download links for root certificates

You can download only the following root certificates:

Intermediate certificates

To ensure normal HTTPS communication between clients and your web server, you must install intermediate certificates when you install an SSL certificate on your web server. In most cases, the SSL certificates that you download contain intermediate certificates. For example, if you download a certificate package for Apache servers, the domain_name_chain.crt file that is extracted from the package contains intermediate certificates.

Notice If your SSL certificate does not contain intermediate certificates or your intermediate certificates expire, you can visit the official website of the CA to download the intermediate certificates.