A certificate authority may send certificates in one or more files. There are three possible combinations:
One file. One certificate file that contains the entire chain of certificates from the parent trusted root certificate, to possible intermediate signing certificates, to the host certificate. This is the most convenient scenario, because everything is in one file. You may lose some flexibility because you cannot unbundle the certificates.
When you import the certificate file, the system warns you that it is not trusted because the imported root certificate is not yet saved in the trusted root store. After the import, the warning no longer appears.
Two files. A certificate file and a separate root certificate file containing the signed Virtual Host server certificate. This provides the following benefits:
A trusted root certificate against which all future certificates are verified.
A trusted root certificate that you can import into the trusted root stores of web browsers that do not trust the RSA default root certificate by default.
You must import the root certificate first.
Two or more files. Multiple files, each containing a separate certificate. This allows you to establish a trusted root and gives you the most flexibility. When you replace both the web-tier and virtual host certificates, and they are signed by the same trusted certificate authority, you only need to import the trust certificates once. You must import each certificate in the following order: