SSL Certificates: Single-Root vs Chained-Root

I recently renewed a bunch of SSL certificates. I actually use a reseller, Namecheap.com, but the actual SSL certificate authority is RapidSSL. I’ve bought RapidSSL’s SSL certificates for several years. They are cheap (particularly through a reseller like Namecheap.com), and they work as as good as the very expensive ones from the competition. RapidSSL’s SSL certificates were single-root certificates, making them easy and straight-forward for the user (i.e. the administrator of the SSL-protected service) to install.

A single-root SSL certificate means that the certificate is directly signed by a “Root CA certificate”, which refers to a Certificate Authority’s SSL certificate that is already embedded and trusted by your web browser.

The SSL certificates I renewed this year were different. They were no longer single-root certificates. The certificates are signed by an intermediary CA certificate. The intermediary CA certificate is then signed by a Root CA certificate. This is known as a Chained-Root certificate. It’s also possible, in a more convoluted case, that the issued SSL certificate is signed by chain consisting of more than one intermediary CA certificate before reaching a Root CA certificate that is trusted by the browser.

The immediate impact of a Chained-Root SSL certificate is that the certificate installation process for the service administrator (e.g. the website administrator if the SSL certificate is for a HTTPS service) becomes more complicated. A web server software will require the Chained CA certificate to be installed, so that the certificate chain can be offered by the server to the web browser to verify the authenticity of the site’s SSL certificate.

There is also an impact to the service user. Using the above example of a HTTPS website, the the web browser has to do some extra work to verify the chain of SSL certificates to determine if the site’s SSL certificate is authentic. CPU power is cheap and abundant these days, so the extra work may be quite negligible in reality.

The above two issues are not really technical problems. I’m mainly upset because I didn’t know about the change, and I had always expected RapidSSL to issue Single-Root certificates.

Upon checking Namecheap.com’s website, as well as RapidSSL’s own website, I realized now that they no longer make any reference to Single-Root SSL certificates. However, a simple Google search (at least as of this time) still reveals many search results about RapidSSL’s Single-Root SSL certificate.

So, it looks like there has been a change in the type of SSL certificates that RapidSSL issues. It seems rather disappointing that this is not clearly made known to renewing customers. When you renew a service, you would have assumed that everything about the service remains unchanged. I know, we should still do our due diligence to check, but it’s also not very fair for the seller to not highlight this change.

If you are an Apache website administrator suddenly realizing you have to deal with this Chained-Root problem, here’s what you need to do:

  1. Copy the Intermediate CA certificate into your web server, probably keep it together with your other SSL certificates (e.g. /etc/httpd/ssl).
  2. Edit Apache’s configuration (e.g. /etc/htpd/conf/httpd.conf), look for existing SSL certificate configuration (SSLCertificateFile) and add:
    SSLCACertificateFile <path-to-intermediate-ca-file>
  3. Done. Just restart Apache for the change to take effect.

Simple steps. Except that it is just plain annoying when you’ve suddenly got to figure this out because you didn’t realize you were getting a Chained-Root certificate.