In every Secure Socket Layer (SSL) certificate, there is a certification path that dictates the source of the digital certificate and this can ultimately be traced to a root certificate. Certification path depends on the Certificate Authority (CA) you previously acquired the certificate from, with each CA having their own list of Root certificates used as a trusted anchor for issuing their own brand digital certificates.
SSL certificates rely on the ‘chain of trust’ concept where the Online Certificate Status Protocol (OCSP) validates a certificate by looking up the chain of trust in a CA. If an intermediate certificate is not recognised, OCSP will move on to the next step of looking up the root certificate. Only once looking up both the intermediate and root certificates, will a secure connection be made between a server and a client. From here, sharing of confidential and private information is made.
Every CA has their own list of root certificates. For DigiCert, the list of root certificates are listed below (as of 20 Jan 2016):
- Baltimore CyberTrust Root
- DigiCert Assured ID Root CA
- DigiCert Assured ID Root G2
- DigiCert Assured ID Root G3
- DigiCert Federated ID Root CA
- DigiCert Global Root CA
- DigiCert Global Root G2
- DigiCert Global Root G3
- DigiCert High Assurance EV Root CA
- DigiCert Private Services Root
- DigiCert Trusted Root G4
- GTE CyberTrust Global Root
- Verizon Global Root CA
For the full list of DigiCert Root & Intermediate certificates, click here.
How to find the Root Certificate in Your SSL
The root certificate can be uncovered by looking up the certification path in an SSL certificate. This digital certificate is publicly available when clicked on the green padlock icon on the green address bar.
Ensure Root Certificates are Compatible
It is important that the SSL certificate installed is recognised by most platforms to ensure a secure and encrypted connection throughout private sessions. In fact, DigiCert Root Certificates are among the most widely trusted authority certificates in the world where all common web browsers, devices and mail clients automatically recognises. In addition, OCSP response time are the fastest amongst CAs.