Why is it needed to install intermediate CA

Question

Recently, I tried accessing an HTTPS website through java. I encountered an error about the SSL saying that

unable to find valid certification path to requested target

I tried checking my trust store and the root certificate and the intermediate CA which is signed by the root CA is also installed. The only thing not there is another intermediate CA which is the one used to sign the website's certificate.

I tried installing the intermediate CA and made the stuff work. I am wondering, why is it necessary to install the intermediate CA? Doesn't it somehow acquire that from somewhere without installing it to my trust store?

Answer 1

Why is it necessary to install the intermediate CA?

Because the HTTPS web server is misconfigured.

It is supposed to send the certificate chain, up to but excluding the root certificate.

Whoever configured the web server didn't do that, so if you don't have the chain installed locally, there is a missing link in the chain.

The correct solution is for the web server administrator to correctly configure the server. The workaround is what you've done, i.e. install the missing intermediate certificates locally, so Java can verify the full chain.