This article covers how trust is determined with SSL certificates. Specifically how the chain of trust is validated by web browsers (and other SSL clients). This is most relevant for User uploaded certificates.
For AutoSSL certificates we take care of building a SSL certificate with all required intermediaries.
SSL Trust Chain and Intermediate Certificates
There are two types of certificate authorities (CAs), root CAs and intermediate CAs. In order for a certificate to be trusted, and often for a secure connection to be established at all, that certificate must have been issued by a CA that is included in the trusted store of the device that is connecting.
If the certificate was not issued by a trusted CA, the connecting device (e.g., a web browser) will then check to see if the certificate of the issuing CA was issued by a trusted CA, and so on until either a trusted CA is found (at which point a trusted, secure connection will be established) or no trusted CA can be found (at which point the device will usually display an error).
To use an intermediary certificate, before uploading you need to combine the files. Although some browsers will accept certificates in an incorrect order it is important to us to ensure they are in the correct order. That is:
The Primary Certificate - your_domain_name.crt
One or more Intermediate Certificates
The Root Certificate
The result should look something like:
-----BEGIN CERTIFICATE-----
(Your Primary SSL certificate=)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Intermediate certificate)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Root certificate)
-----END CERTIFICATE-----