Every time I think I have a fairly good understanding of how SSL works, something weird comes along to knock that understanding back a few notches. Case in point: Certificate Chains. IBM has a nice, short article called "How Certificate Chains Work" that describes what they are so I'm linking to that in order to save some space for this post.
With almost any type of certificate one purchases from Verisign today, and I use Verisign as an example because I am a Verisign certificate user, two intermediate certificates sit between the root certificate and the server certificate: a Primary Intermediate and a Secondary Intermediate. The Primary Intermediate is the same regardless of the type of server certificate that was purchased. The Secondary Intermediate varies according to the type of server certificate purchased. If you purchased one of their SecureSite with EV certificates, the secondary intermediate is different from the one that is issued along with their SecureSite certificates but the Primary Intermediate is the same.
Browsers have a feature in that they, I thought, displayed the full certificate chain, also known as the certification path. They would display the certificate hierarchy, so you can see the root, the intermediate(s) and the server cert. Problem is, they seem to have stopped doing this. Take Safari 5, which is displaying the certification path for the Extended Validation cert securing www.verisign,com:
Safari 5 shows the Primary Intermediate as if it is the root certificate, followed by the secondary intermediate, followed by the server cert. What's missing is the actual root cert as this is supposed to be a 4 way chain.
Firefox 3.6.13 exhibits the same behavior. Before you think, "Oh, this must be a Mac thing...", Firefox 3.6.13 running on Ubuntu 10.10 shows the same thing, too. So then I thought, well, maybe this is what is supposed to happen but two peculiar additional discoveries are the cause of my confusion.
Safari 3 shows the full certification path:
I found in my System Roots keychain that Apple has imported the Class 3 Public Primary Certification Authority - G5 cert, (the Primary Intermediate). Perhaps that is why it is displaying a 4 way chain as a 3 way chain? Well, that's what me and a buddy thought before connecting to one of my sites secured with a non EV cert but still utilizing the same 4-way chain. In that case, all four certs in the certification path are displayed in Safari 5 (portions of the image redacted to protect the innocent):