This is not the issue. When using certificates the trusting party needs to be able to verify the signature on the certificate. If a cert is signed by an intermediate CA, and the client only has the private key of the root CA, then it can't verify the signature on the server's cert.
What needs to happen is that the client verifies the intermediate CA's certificate by using the root CA's public key. It can then verify the server's certificate using the now verified/trusted intermediate CA's certificate. The reason you are asked to install the intermediate CA's certificate into your web server is that most browsers and web servers have the technology to transfer the intermediate CA certs between the two parties. It saves the client having to manually install the intermediate CA certs. Cheers Ken From: Sam Cayze [mailto:sam.ca...@rollouts.com] Sent: Friday, 15 October 2010 5:23 AM To: NT System Admin Issues Subject: RE: SSL Intermediate Certs "I've imported it into a few servers and appliances (firewall for example) and it works just fine, my browser doesn't complain and shows it's trusted." Note, if it's web facing web page or something, just install the Int. Cert. I used a Cert once without installing the Int, it worked fine everywhere I tested. Next day, got a bunch of calls from Clients, etc, that they were getting security warnings from the site. Quickly installed the Int cert and the problems went away. If you are just using it internally, probable not an issue... From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Thursday, October 14, 2010 12:17 PM To: NT System Admin Issues Subject: SSL Intermediate Certs Have to admit I'm thoroughly confused by these. I totally get the idea that if I buy a cert from Globalsign their CA is what forms the "trust" so I need their CA installed on my PC. Where I'm getting a bit lost is intermediate certificates. More and more vendors instruct you to install their intermediate cert on servers that you install their certificate on to, however having just purchased a wildcard cert from such a vendor, I'm a bit surprised that I've imported it into a few servers and appliances (firewall for example) and it works just fine, my browser doesn't complain and shows it's trusted. I'm assuming this is because the server I'm installing the cert on must already have the intermediate CA installed? ________________________________ MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England Registered in England and Wales No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin