SSL - Single Root Vs Chained Root

SSL certificates are basically two types.
  1. Single Root Level SSL Certificate
  2. Chain Root SSL Certificate

When connecting to a web server over SSL, the visitor's browser decides whether or not to trust the website's SSL certificate based on which SSL Certification Authority has issued the SSL certificate. To determine this, the browser looks at its list of trusted issuing authorities - represented by a collection of Trusted Root CA certificates added into the browser by the browser vendor (such as Microsoft, Linux, UNIX, Sun and Netscape, Mozilla, Safari).

Where is this list of CA in your computer?

When browsers and operating systems are developed / installed, most CA Root certificates will be installed. As all Root CA are required to authenticate SSL certificate on any website. When you browse any website on HTTPS://, browser will automatically identify Root Certificate as defined earlier. If browser fails to identify CS then there would be an error message.

Most SSL certificates are issued by CAs who own and use their own Trusted Root CA certificates, such as those issued by VeriSign, RapidSSL, Thawte, and GeoTrust. As all of these are known to browser vendors as a trusted issuing authority, its Trusted Root CA certificate has already been added to all popular browsers like Internet Explore (IE 4.0, 5.0, 6.0, 7.0, 8.0), Mozilla Firefox, Safari, Netscape and hence is already trusted. These SSL certificates are known as "single root" SSL certificates. RapidSSL and GeoTrust own the Equifax root used to issue its certificates. As well VeriSign and Thawte have own Root to issue SSL certificates.

What is Chained Root SSL Certificate?

Some Certification Authorities do not have a Trusted Root CA certificate present in browsers, or do not use the root they do own. In place they use a "chained root" in order for their SSL certificates to be trusted - essentially a CA with a Trusted Root CA certificate issues a "chained" certificate which "inherits" the browser recognition of the Trusted Root CA. These SSL certificates are known as "chained root" SSL certificates. However chained root certificates installation is more complex and some web servers and applications are not compatible with chained root certificates. Chained root certificates require additional effort to install as the web server must also have the chained root installed. This is not necessary for single root certificates.

For a Certification Authority to have and use its own Trusted Root CA certificate already present in browsers is a clear sign that they are long-time, stable and credible organizations who have long term relationships with the browser for the inclusion of their Trusted Root CA certificates. For this reason, such CAs are seen as being considerably more credible and stable than chained root certificate providers who do not have a direct relationship with the browser vendors, or do not use their own root certificates to issue SSL certificates. provides only Single Root SSL Certificates.

Return to top of page ClickSSL - Start your E-Business with SSL Certificates