Why You Need An SSL Signed By A Trusted Root Certificate
When you visit an HTTPS website, your web browser will check the website’s SSL certificate to see if it’s trusted. This is a critically important step, as this confirms that you’re connected to the correct website (not, for example, a hacker pretending to be amazon.com).
How does my web browser verify a website’s SSL certificate?
Your web browser will verify the website’s SSL certificate with the Certificate Authority that issued the certificate. If the SSL certificate was not issued by a trusted root certificate authority, your browser won’t be able to verify it, and you’ll get an error message like this:
What is a Trusted Root Certification Authority?
How does your computer know which certificate authorities to trust and which not to trust? That’s where root certificates and the trusted root store come into play.
Since your web browser can’t individually verify websites, they trust certain companies, called certificate authorities, to verify individual websites. Your browser uses what’s called a “root store”, which is basically a list of the companies that are trusted to verify websites and issue certificates. There’s actually a root store on your computer that looks like this:
Your web browser uses this root store to validate the SSL certificate of each HTTPS website you visit.
Why is it important to get an SSL certificate from a trusted root CA?
Very simple: if you use a self-signed certificate or an SSL certificate from an untrusted root, your website will display a big red error message like in the screenshot shown above.
That’s a great way to scare visitors away.
If you get an SSL certificate from a trusted root CA, though, your website can look like this:
How to tell which trusted root issued a website’s SSL certificate
In Google Chrome, click the padlock icon next to the website URL, then click Certificate. Then click Certification Path. The name listed at the top is the Root Certificate, in this case it’s DigiCert:
You’ll notice that there are three certificates listed, and the website certificate isn’t signed directly by the root certificate.
In order to maintain the highest security standards, the Root Certificate is safely retained with the respective Root Certificate Authority and an intermediate certificate is used. After being signed by the root certificate, the Intermediate Certificate is then utilized by the Certificate Authority to validate the website’s certificate, (also known as the SSL Certificate) which is then ultimately provided to the client to display on the website. This chain of trust is maintained strictly in order to ensure heightened safety and security levels, so, in case of a breach of a security, the root certificate remains unscathed.
Example of an SSL Certificate chain
In the example above, you can see that CheapSSLsecurity.com is using a GeoTrust EV SSL certificate:
- The www.cheapsslsecurity.com certificate is installed on the web server that runs cheapsslsecurity.com
- The www.cheapsslsecurity.com certificate is signed by the “GeoTrust EV RSA CA 2018” certificate, which is the intermediate certificate.
- The intermediate certificate is signed by the “DigiCert” trusted root certificate.
- Your computer/browser has the DigiCert trusted root certificate in its trust store, so your browser knows it’s trustworthy, and by extension it knows that www.cheapsslsecurity.com is trustworthy.
How to get an SSL Certificate from a Trusted Root Certification Authority
There are a variety of certificate authorities that offer fully trusted SSL certificates for your website. Some of the most popular are Comodo, GeoTrust, Thawte, Sectigo, and RapidSSL. You just need to purchase an SSL certificate from one of these trusted root CAs, then go through a simple validation process before they issue your SSL certificate.