What is a Single-Root SSL Certificate?

Most SSL certificates are issued by CAs who own and use their own Trusted Root CA certificates, such as those issued by DigiCert, GeoTrust^®, Thawte^® and RapidSSL^®. As DigiCert, GeoTrust^®, Thawte^® and RapidSSL^® are known to web browser vendors as trusted issuing authorities, their Trusted Root CA certificates has already been added to all popular web browsers and, hence are already trusted. These SSL certificates are known as "single-root" SSL certificates. GeoTrust^®, Thawte^® and RapidSSL^®, subsidiary of DigiCert, owns the Equifax root used to issue its certificates.

Some CAs does not have a Trusted Root CA certificate present in web browsers, or do not use the root they own but, instead use a "chained root" in order for their SSL certificates to be trusted. Essentially a CA with a Trusted Root CA certificate issues a "chained" certificate which "inherits" the browser recognition of the Trusted Root CA. These SSL certificates are known as "chained-root" SSL certificates.

Installation of chained-root certificates is more complex and some web servers and applications are not compatible with chained-root certificates.

CAs that use their own Trusted Root CA certificate and have long term relationships with the top browser vendors (such as Microsoft and Netscape) for the inclusion of their Trusted Root CA certificates are seen as considerably more credible and stable than chained-root certificate providers that don't have a direct relationship with the browser vendors or do not use their own root certificates to issue SSL certificates.

You can view the CAs that have and use their own root certificates by viewing the list in your browser.

Chained-root certificates require additional effort to install as the web server must also have the chained root installed. This is not necessary for single-root certificates.