Why You Need An SSL Signed By A Trusted Root Certificate

When you visit an HTTPS website, your web browser will check the website’s SSL certificate to see if it’s trusted. This is a critically important step, as this confirms that you’re connected to the correct website (not, for example, a hacker pretending to be amazon.com).

How does my web browser verify a website’s SSL certificate?

Your web browser will verify the website’s SSL certificate with the Root Certificate Authority that issued the certificate. If the SSL certificate was not issued by a trusted root certificate authority, your browser won’t be able to verify it, and you’ll get an error message like this:

Your Connection is Not Private

What is a Trusted Root Certification Authority?

How does your computer know which root certificate authorities to trust and which not to trust? That’s where root certificates and the trusted root store come into play.

Since your web browser can’t individually verify websites, they trust certain companies, called certificate authorities, to verify individual websites. Your browser uses what’s called a “root store”, which is basically a list of the companies that are trusted to verify websites and issue certificates. There’s actually a root store on your computer that looks like this:

Trusted CA Root Store

Your web browser uses this root store to validate the SSL certificate of each HTTPS website you visit.

Why is it important to get an SSL certificate from a trusted root CA?

Very simple: if you use a self-signed certificate or an SSL certificate from an untrusted root, your website will display a big red error message like in the screenshot shown above.

That’s a great way to scare visitors away.

If you get an SSL certificate from a trusted root CA, though, your website can look like this:

HTTPS Indicator

How to tell which trusted root issued a website’s SSL certificate

In Google Chrome, click the padlock icon next to the website URL, then click Certificate. Then click Certification Path. The name listed at the top is the Root Certificate, in this case it’s DigiCert:

Root Certificate Structure

You’ll notice that there are three certificates listed, and the website certificate isn’t signed directly by the trusted root certificate.

In order to maintain the highest security standards, the Root Certificate is safely retained with the respective Root Certificate Authority and an intermediate certificate is used. After being signed by the root certificate, the Intermediate Certificate is then utilized by the Certificate Authority to validate the website’s certificate, (also known as the SSL Certificate) which is then ultimately provided to the client to display on the website. This chain of trust is maintained strictly in order to ensure heightened safety and security levels, so, in case of a breach of a security, the root certificate remains unscathed.

Buy Cheap Wildcard SSL Certificates

Example of an SSL Certificate chain

In the example above, you can see that CheapSSLsecurity.com is using a GeoTrust EV SSL certificate:

  • The www.cheapsslsecurity.com certificate is installed on the web server that runs cheapsslsecurity.com
  • The www.cheapsslsecurity.com certificate is signed by the “GeoTrust EV RSA CA 2018” certificate, which is the intermediate certificate.
  • The intermediate certificate is signed by the “DigiCert” trusted root certificate.
  • Your computer/browser has the DigiCert trusted root certificate in its trust store, so your browser knows it’s trustworthy, and by extension it knows that www.cheapsslsecurity.com is trustworthy.

How to get an SSL Certificate from a Trusted Root Certification Authority

There are a variety of certificate authorities that offer fully trusted SSL certificates for your website. Some of the most popular are Comodo, GeoTrust, Thawte, Sectigo, and RapidSSL. You just need to purchase an SSL certificate from one of these trusted root CAs, then go through a simple validation process before they issue your SSL certificate.

Save up to 89% on trusted SSL certificates

We offer the lowest prices on SSL certificates from Comodo, GeoTrust, Thawte, Sectigo, Symantec, and RapidSSL. Save up to 88% by purchasing direct from us!
Buy SSL Certificate at $4.97

Related Resources

Author

Welcome to Savvy Security, a blog focused on providing practical cybersecurity advice for website owners and small businesses. Our team brings you the latest news, best practices and tips you can use to protect your business...without a multi-million dollar budget or 24/7 security teams.

bold
Close