In order to trust the digital certificate, does immediate CA cert also needs to be in trust store or root CA cert is enough?

Question

In order to trust the digital certificate, does immediate CA certificate also needs to be in trust store or root CA certificate is enough?

Answer 1

You only need to trust the root CA, the intermediate (and other) certificates will be checked if they are signed by a trusted root CA, or a intermediate that is trusted by a root CA. If that root CA is trusted by you, all certificates signed with that will be trusted by you.

For example, when you have a chain [user] → [intermed-1] → [intermed-2] → [root], the verification is like this:

Does [user] have [intermed-1] as its "Issuer"?

Does [user] have a valid signature by [intermed-1]'s key?

Does [intermed-1] have [intermed-2] as its "Issuer"?

Does [intermed-1] have a valid signature by [intermed-2]'s key?

Does [intermed-2] have [root] as its "Issuer"?

Does [intermed-2] have a valid signature by [root]'s key

Since [root] is at the bottom of the chain and has itself as "Issuer", is it marked as trusted?

(snip from this answer)

Answer 2

The root certificate should be enough. It is the server's responsibility to provide any necessary intermediate certificates. To quote RFC 5246:

This is a sequence (chain) of certificates. The sender's certificate MUST come first in the list. Each following certificate MUST directly certify the one preceding it. Because certificate validation requires that root keys be distributed independently, the self-signed certificate that specifies the root certificate authority MAY be omitted from the chain, under the assumption that the remote end must already possess it in order to validate it in any case.

The root certificate is the only optional ("MAY" instead of "MUST") piece of the chain.

That being said, in real world usage both ends blur the edges a little. Some servers don't provide the intermediate, usually out of lack of knowledge combined with the ability to get away with it. And they get away with it because some popular intermediate certs get pre-populated into trust stores (my Win7 installation has about 15, for issuers like DigiCert, Entrust, GeoTrust, Go Daddy, Microsoft, RapidSSL, Thawte, and Verisign ).

So, you can put intermediate certs into your trust store if you want to compensate for some server that's not doing it right. But you're fully in the right if instead you want to notify the site that their server is misconfigured and ask them to correct it.

Answer 3

The posts by gowernfawr and BadSkillz address the question fully.

Just to throw in a helpful tip so you can make sure your certificate is configured correctly:

You can use www.SSLLabs.com to test your configuration. In the "Certification Paths" section the Leaf (Server certificate) and Intermediate Certificate should be "Sent by Server" and the Root should be "In Trust Store".

If the Root also displays "Sent by Server" in orange, you should remove it from your server as its unnecessarily inflating your SSL handshake.