Browsers and certificate store

In which 开发者_Go百科certificate stores do browsers look for trusted certificate, when they compare it to the one they receive when connecting to https server(windows)?

You need the root CA certificate in the trusted root store that the particular browser uses. Here is a page from a simple Google search that may help: https://help.riseup.net/security/certificates/import/

The browser does not need to find the server's certificate here. What needs to be installed in this store is the root CA cert that signed the server's certificate (or certificate chain.)

For example, if the server has a certificate S, and S is signed by "MY-ROOT-CA", then MY-ROOT-CA needs to be installed in the trusted root store.

If the server's certificate S is signed by an intermediate CA "SOME-CA", and SOME-CA is signed by MY-ROOT-CA, then again only MY-ROOT-CA needs to be installed on the browser machine in the trusted root store.

If S is signed by SOME-CA, then SOME-CA may also need to be installed somewhere on the browser machine, but not necessarily in the trusted root store. In this case, the server may be sending both S and SOME-CA, and may even send MY-ROOT-CA. However long this chain of certificates gets, each link in the chain has to be sent by the server, or present on the local machine, but the very last MY-ROOT-CA always has to be installed and this in the special trusted root store.