To ensure normal HTTPS communication between clients and your web server, you must install the root certificate and intermediate certificates when you install an SSL certificate on your web server. This topic describes how to download root certificates and intermediate certificates.

Root certificates

Scenarios

If your web services are accessed by using browsers, you do not need to install root certificates because the root certificates are built into the browsers. In this scenario, you need to install only the SSL certificates that are issued by the certificate authority (CA) on your web server. This way, your web server can communicate with the browsers over HTTPS. For more information about how to install SSL certificates, see Installation overview.

If your web services are accessed by using clients such as Java clients, you must install root certificates on the clients because no root certificates are built into the clients. If you do not install the root certificates, the clients cannot verify the information encrypted by your web server. For example, if a DigiCert organization validated (OV) SSL certificate is installed on your web server, the clients must be installed with built-in DigiCert OV root certificates before they can communicate with your web server over HTTPS.

Warning After you install root certificates on clients, the clients may still encounter web service interruptions due to other causes. For example, the root certificates expire, become invalid, or undergo policy changes. We do not recommend that you use this method. If you want to install the root certificates on apps or Java clients, you can download the required root certificates from the links that are provided in the "Download links for root certificates" section of this topic.

We recommend that you implement client verification by using the default Truststore of the clients and enable strong domain name verification to enhance the security of the apps. If you want to learn more, submit a ticket or contact after-sales technical support. To contact after-sales technical support, log on to the SSL Certificates Service console, move the pointer over Technical Support in the left-side navigation pane, and then scan the QR code that appears to apply to join the DingTalk service group.

Download links for root certificates

You can download only the following root certificates:

Intermediate certificates

To ensure normal HTTPS communication between clients and your web server, you must install the root certificate and intermediate certificates when you install an SSL certificate on your web server. In most cases, the SSL certificates that you download contain intermediate certificates. For example, if you download a certificate package for Apache servers, the domain name_chain.crt file extracted from the package contains intermediate certificates.

Notice If your SSL certificates do not contain intermediate certificates or your intermediate certificates expire, you can visit the official website of the CA to download the intermediate certificates. Alternatively, you can submit a ticket to contact the after-sales technical support to obtain the download links for your intermediate certificates.