Home > Enterprise >  Is there a difference between certificate with Global root and without Global root?
Is there a difference between certificate with Global root and without Global root?

Time:09-09

The below mentioned are our certificate chains. Both of them works fine,

  1. Is there any reason in particular we should consider having Global root CA as part of certificate chain ?
  2. How to get a certificate without Global root ? Can we approach digicert to remove Global root from the chain ?

With No Global Root CA

With Global root CA

CodePudding user response:

These are basically the same chains, except that the latter one has additionally the self-signed root certificate included (same issuer and subject: DigiCert Global Root CA).

When configuring the certificates inside the web server one should not add the root certificate. It would be ignored by the client anyway so it is a waste of bandwidth and thus might make the TLS handshake take more time.

Instead the client needs to have the root certificate in its local trust store. If it doesn't then sending it to the client would not help, since the trust chain when validating a certificate must always end in the local trust store, never in something send by the server.

  • Related