Somebody has to issue you, or your host or service, a certificate and somebody else must decide whether to accept your certificate when you present it. This implies that there must be a "chain of trust" such that the acceptor trusts the issuer.
The issuer of a certificate is an organization called a Certificate Authority (CA). Certificate Authorities come in two flavors, Root and Subordinate. A Subordinate Certificate Authority also has its own certificate, called a CA certificate (a specialized service certificate), issued by a higher-level Certificate Authority. The Root CA is at the top the heirarchy.
The acceptors of your certificate (e.g. grid services, web services and email clients) maintain a list of issuers (CAs) that they trust. In order to accept your certificate, the application has to find the corresponding CA certificate in its list, and that CA certificate's higher-level CA certificate if necessary, and so on, until it reaches the Root CA certificate. This forms the chain of trust.
For optimal use of any application in which you use a personal certificate (e.g., to avoid annoying popups and possibly the occasional refusal of service), the CA's certificate should be installed in the application ahead of time to establish the trust chain. Some combinations of browser and remote site will not work unless the CA certificate chain is installed.
- Installation of the CA certificate is not mandatory in a browser, just recommended.
- For signing/encrypting email, CA certificate installation in the email client is mandatory.
- For Windows users in the FERMI domain who use Microsoft tools (Internet Explorer, Outlook or Outlook Express), the collective domain updates take care of installing and updating the CA certificates in these applications for you.