Hopefully, this is the best place to ask this question:
I obtained and uploaded the SSL code to my host’s server. The code was provided in 3 separate code bundles by a WordPress plugin. The code came from LetsEncrypt. Prior to providing the bundles the plugin verified that I owned the site.
The host said the upload was fine and the HTTPS designation appeared on my website. A problem developed later.
I tried to setup a Share button with Facebook. The setup was rejected. Facebook said that no Intermediate Certificate had been provided by the host’s server.
I then ran a separate SSL check. It also said that an Intermediate Certificate was missing.
My question is what is more likely: The 3 code bundles I uploaded contained errors or the host’s server did not properly/completely install the bundles?
SSL works with a few root Certificate Authorities (CAs). These authorities have so called root certificates and those are shipped with browsers. So any certificate that is signed by one of these CAs is recognised by browsers as being trusted. However, they can’t sign all certificates, so what the oftentimes do is create an intermediate certificate that they give to other parties. These parties can then use that intermediate certificate to sign SSL certificates.
However, if you only present your own SSL certificate and not the intermediate certificate then some parties can’t figure out which CA really signed the certificate (by proxy) and will refuse the certificate. When your site offers up the intermediate certificate too then this problem goes away.
I really wish browsers wouldn’t accept SSL without an intermediate certificate too (which they do accept now). That would prevent a lot of these problems.
No, just your certificate itself can maybe be regarded as some sort of password, but the intermediate certificates are just proof that your “password” is created by someone who is allowed to create “passwords”.