Overview#Certificate_list (Certificate Chain) needed to perform Certificate Validation of a Site Certificate.
Certificate_list which is described in RFC 5246 as: This is a sequence (chain) of certificates. The sender's certificate MUST come first in the list and each following certificate MUST directly certify the certificate preceding it.
Because Certificate Validation requires that root keys be distributed independently, the Self-signed Certificate that specifies the root certificate authority MAY be omitted from the chain, under the assumption that the remote end must already possess it in order to validate it in any case.TLS is sent from the Server or Client to the relevant receiver.
Should Root Certificate be in Certificate_list#If the Certificate_list contains the Root Certificate SSL/TLS will work but is NOT recommended. The properly implemented client must have all the valid Root Certificates in its Trust Anchor Store and MUST NOT trust a Root Certificates distributed over an insecure connection from a random site.
If a client wants to exempt your site from Certificate Validation, they SHOULD NOT add your Root Certificate to Certificate Trust Store. More than likely that user is not aware that they open door to nearly all their SSL connections (except pinned ones). They should only ever trust your Site Certificate (aka the leaf certificate).
Technically, the only bad thing that can be told about sending the Root Certificate in the Certificate Chain is that it uses a bit of network bandwidth needlessly. That's about 1 kB data per connection which includes a Full TLS Handshake. In a typical session between a client (Web browser) and a server, only one connection will be of that type as the other connections from the client will use "Abbreviated TLS Handshake" which build on the initial handshake, and do not use certificates at all. And each connection will be kept alive for many successive HTTP requests. So the network overhead implied by the placing the Root Certificate in the certificate_list is slight.
Order of Certificates Presented#The Order of Certificates presented by a server to a client should be:
- Site Certificate MUST come first
- each following certificate MUST directly certify the certificate that preceding it.