In Qualys SSL test always warn me that the root certificate is an extra download and can be safely removed.
However, from Comodo website, their guide on installing cert on nginx is
NGINX Needed for this task: * PEM encoded certificates (Root, Intermediate(s) and
Domain/Device) COMBINE (CONCATENATE) MULTIPLE CERTIFICATES INTO ONE FILE
You know, they are a CA and be the authentic answser. So, which one I should trust?
Updates: I also gather more advises from other CA as well
Suggest adding the root cert
- https://support.globalsign.com/customer/portal/articles/1290470-install-certificate—nginx
- https://support.comodo.com/index.php?/Knowledgebase/List/Index/37/certificate-installation
- https://www.namecheap.com/support/knowledgebase/article.aspx/9419/0/nginx
Suggest no need the root cert
- https://www.digicert.com/ssl-certificate-installation-nginx.htm
- https://www.geocerts.com/install/nginx
- https://www.ssllabs.com/ssltest/
So so confusing?
Best Answer
Both, Qualys SSL test and Comodo are correct. Comodo is correct from the server-side code perspective. Nginx should trust certificates it uses.
On the other hand, Qualys SSL test is correct from network protocol perspective. During SSL negotiation, server must send its own SSL certificate and all intermediate CA certificates except root certificate. A reference from RFC 5246 §7.4.2: