What is a Trusted-Root SSL Certificate?

When connecting to a web server that is using SSL, the visitor's browser decides whether or not to trust the web site's SSL certificate based on which Certificate Authority (CA) has issued the actual SSL certificate. To determine this, the browser looks at the list of Certificate Authorities it trusts known as the "Trust Store" or "Root Store", which is kept internally in the Browser or the underlying Operating System. In the Windows OS you may have come across the program which handles this – Cert Manager (or certmgr.msc). If the issuing CA is included in the Trust Store then the secure connection is initiated and the user will see the green padlock and/or green address bar when it's an EV certificate.

Most SSL certificates you come across are issued by CAs who own and use their own Trusted Root certificates, such as those issued by DigiCert, GeoTrust^®, Thawte^® and RapidSSL^®. As DigiCert, GeoTrust^®, Thawte^® and RapidSSL^® are known to web browser vendors as trusted issuing authorities, their Trusted Root CA certificates has already been added to all popular web browsers, hence the name "Trusted-Root" SSL certificates. GeoTrust^®, Thawte^® and RapidSSL^®, subsidiaries of DigiCert, have multiple widely-trusted roots.

There are certificates out there that do not come from a Trusted-Root, and are "un-trusted" certificates. These are issued to and from themselves, known as "self-signed" certificates, or they are from an Internal CA. This means that the browser only trusts the Certificate if its explicitly told to. When the browser encounters this certificate it will present a full page error, unless they have been added to the computers' Trust Store. For this reason, un-trusted certificates are not suitable for use on public websites. These certificates are sometimes used to secure access to internal networks, such as with a corporate intranet, however managing this can be quite a hassle as it requires IT experience to ensure the certificate performs appropriately on all devices.

CAs that use their own Trusted Root CA certificate and have had long term relationships with the top browser vendors (such as Microsoft and Netscape) for the inclusion of their Trusted Root CA certificates are seen as considerably more credible and stable. They are also easier to set up as they are natively trusted and can be quickly installed and them accesses by desktops, laptops, iPhones, Android devices, etc.