A trusted Certificate Authority (CA) can delegate to another CA. In this example, the certificate returned by the delegated CA is signed by the trusted CA, resulting in a certificate chain. Certificate chains can vary in length. The highest certificate in the chain—known as the root certificate—should be a self-signed certificate signed by the trusted CA.
Each certificate in the chain must be imported into the keystore so the complete chain can be sent to the web browser. If the CA Reply does not include the chain certificates, you must add them to the keystore before the CA reply.
The certificates must be imported in order of dependency.
To import the certificates:
- Add the root certificate first.
- Add the next chained certificate signed by the root certificate.
- Add the next chained certificate (and so on) down to the CA reply.