There are three types of digital certificates that are involved in producing a
digital signature:
-
The "end" or "signing" certificate, which contains the public key to be used to validate the actual digital signature.
-
One or more "intermediate" Certification Authority (CA) certificates, which contain the public keys to validate the signing certificate or another intermediate certificate in the chain.
-
The "root" CA certificate, which contains the public key used to validate the first intermediate CA certificate in the chain (or, rarely, the signing certificate directly). An otherwise valid signature is "trusted" by TMWS if the CA certificate of the signature is known to TMWS and is active.
If TMWS encounters an
unknown CA certificate during SSL handshake processing, it automatically saves the
certificate
in the Inactive CA Certificates list. Intermediate and root CA
certificates are collected in this way. If required later, a CA certificate collected
in this
way can be "activated" (made trusted or untrusted by TMWS) so that the signatures of websites depending on it can be processed
as valid or invalid.