When connecting to a webserver over SSL, the visitor's browser decides whether or not to trust thewebsite's SSL certificate based on which Certification Authority has issued the actual SSL certificate.To determine this, the browser looks at its list of trusted issuing authorities - represented by acollection of Trusted Root CA certificates added into the browser by the browser vendor (such asMicrosoft and Netscape).

Most SSL certificates are issued by CAs who own and use their own Trusted Root CA certificates,such as those issued by GeoTrust and RapidSSL. As GeoTrust and RapidSSL is known to browservendors as a trusted issuing authority, its Trusted Root CA certificate has already been added to allpopular browsers, and hence is already trusted. These SSL certificates are known as "single root"SSL certificates. RapidSSL, a subsidiary of GeoTrust, owns the Equifax root used to issue itscertificates.

Some Certification Authorities do not have a Trusted Root CA certificate present in browsers, or donot use the root they do own, and use a "chained root" in order for their SSL certificates to betrusted - essentially a CA with a Trusted Root CA certificate issues a "chained" certificate which"inherits" the browser recognition of the Trusted Root CA. These SSL certificates are known as"chained root" SSL certificates.

Installation of chained root certificates are more complex and some web servers and applications arenot compatible with chained root certificates.

For a Certification Authority to have and use its own Trusted Root CA certificate already present inbrowsers is a clear sign that they are long-time, stable and credible organizations who have longterm relationships with the browser vendors (such as Microsoft and Netscape) for the inclusion oftheir Trusted Root CA certificates. For this reason, such CAs are seen as being considerably morecredible and stable than chained root certificate providers who do not have a direct relationship withthe browser vendors, or do not use their own root certificates to issue SSL certificates.

You can view the Certification Authorities who have and use their own root certificates by viewingthe list in your browser.

Chained root certificates require additional effort to install as the webserver must also have thechained root installed. This is not necessary for single root certificates.