There are two types of certificate authorities (CAs): root CAs and intermediate CAs. For an SSL certificate to be trusted, it must be issued by a CA included in the trusted store connected to by the device.
If the certificate is not issued by a trusted CA, the connecting device (e.g., a web browser) will check whether the certificate is issued by a trusted CA until no trusted CA can be found.
The list of SSL certificates goes from root certificate to intermediate certificate and then to end-user certificate.
Assume that you purchase a certificate from Qcloud CA and the domain name is
Qcloud is not a root certificate authority. In other words, its certificate is not directly embedded in your web browser and cannot be explicitly trusted.
In the above example, SSL certificate chain is represented by 6 certificates:
example.qcloudby Qcloud CA.
example.qcloudby Alpha, an intermediate Qcloud CA.
Certificate 1 is called end-user certificate, certificates 2–5 are called intermediate certificates, and certificate 6 is called root certificate.
When you install your end-user certificate
example.qcloud, you must bundle all intermediate certificates and install them along with the end-user certificate. If the SSL certificate chain is invalid or broken, your certificate will no longer be trusted by some devices.