I am using Godaddy cert, normally I would concat the cert and make into a chained cert
cat www.example.com.crt sf_bundle.crt > chained.cert
And in my nginx.conf,
ssl_certificate chained.cert
In the browser I see the chain as below:
www.example.com
Starfield Secure Certification Authority
Starfield Technologies Inc.
That is fine, everything is working.
Today, I read a blog post form CloudFlare [1], it said:
The lowest hanging fruit in terms of reducing
the size of these certificates was to remove the
root certificates from the certificate bundle.
There's no reason to include these since they should already be
present in browsers and, even if they're not, the browser won't trust them.
So, does it mean I can remove the Starfield Technologies Inc.
without affecting the validaity of my SSL cert and I can have a better performance?
[1] http://blog.cloudflare.com/what-we-just-did-to-make-ssl-even-faster
It depends on what kind of entity has signed your certificate.
If it was signed directly by a root CA, then indeed there'd be little point in re-serving such root CA with your own web-server.
However, if it was issued by an intermediate CA, and you don't bundle that within your cert, then you risk the risk of having certain users receiving warnings about the certificate being broken, if they've never seen such an intermediate CA before.
https://superuser.com/a/524234/180573
How to know which situation you're in? You can test with http://www.digicert.com/help/?host=