If your web services are accessed by using clients such as Java clients, you must download root certificates whose types are the same as the types of your server certificates. Then, install the root certificates on the clients to ensure that the clients can establish HTTPS connections with the web server. This topic describes how to download a root certificate and an intermediate certificate.
Usage notes
A root certificate is the basis for establishing a chain of trust. After you install a root certificate on a client, the client can verify all certificates that are issued by the root certificate. This allows the client to trust all servers and applications that use the root certificate and establishes a complete chain of trust.
If your web services are accessed by using browsers, you do not need to install root certificates or intermediate certificates because the root certificates and intermediate certificates are built into the browsers. In this scenario, you need to only install the SSL certificates that are issued by certificate authorities (CAs) on your web server. This way, your web server can communicate with the browsers over HTTPS. For more information about how to obtain an SSL certificate, see Purchase SSL certificates.
If your web services are accessed by using clients such as Java clients, you must install root certificates and intermediate certificates on the clients or in the default Truststore of the clients because no root certificates or intermediate certificates are built into the clients. If you do not install the root certificates or intermediate certificates, the clients cannot verify the information encrypted by your web server. For example, if a DigiCert organization validated (OV) SSL certificate is installed on your web server, you must install DigiCert OV root certificates on the clients before the clients can communicate with your web server over HTTPS.
After you install root certificates on clients, client-side verification can be implemented. However, other issues may occur due to various reasons, such as expired root certificates or policy changes. For example, the clients fail to access the web server, or the system notifies you that the connection established from a client is not secure. We recommend that you do not use this method. We recommend that you install the root certificates in the default Truststore of the clients and implement client-side verification by using the default Truststore.
If you still want to install root certificates on apps or Java clients regardless of the risks, you can download and install the required root certificates. For more information, contact your account manager.
The types of root certificates and intermediate certificates are related to the types of certificates that you want to use, but are not related to the types of apps on which you want to install the root certificates or intermediate certificates. You must download root certificates and intermediate certificates based on the types of your certificates.
Download root certificates
You can download only the following root certificates. You can click the links to download root certificates based on the brands and types that you want to use.
DigiCert OV and DV root certificates
NoteThe root certificates can also be used for Rapid DV certificates and GeoTrust OV certificates.
Download intermediate certificates
To ensure normal HTTPS communication between clients and your web server, you must install intermediate certificates when you install an SSL certificate on your web server. In most cases, the certificates that you download contain intermediate certificates. For example, if you download a certificate package for Apache servers, the domain_name_chain.crt file that is extracted from the package contains intermediate certificates.
If your certificate does not contain intermediate certificates or your intermediate certificates expire, you can visit the official website of the CA to download the intermediate certificates. If you encounter issues, contact your account manager.