Should a root certificate be included in a CA bundle?

ssl-certificate certificate-authority

There's no use to including it. If the client browser or library has it as a trusted certificate then it obviously doesn't need another copy, if it doesn't have it then including it isn't going to make it trust it.

I have no idea why Namecheap would include it in their instructions. Abundance of caution? It's not an error or spec compliance violation to include it. Your site will work fine with it present. It will however add (very) slightly to the handshake processing time and serves no other practical purpose which is why Qualys includes it as a warning.

https://community.qualys.com/thread/11234


It looks like some others have had this issue- and yes, it might be safe to ignore NameCheap config instructions per the link:

Yes, that's correct. It's not an issue in the sense that the anchor is not allowed, but that the extra certificate (which serves no purpose) is increasing the handshake latency. Some people care about that, which is why provide the information in the test.

Related

systemd script for starting my app server - Unknown lvalue 'StartLimitIntervalSec' in section 'Unit'
ifconfig shows UP while ip link shows DOWN
What is bridge_fd?
What is the command to determine if OpenSSL and mod_ssl are installed on apache2?
Bare minimum Fedora installation?
wget recursive download, but I don't want to follow all links
Could you tell me what exactly happens when we edit the Web.config (at runtime) on a IIS server?
Execution failed for task 'app:mergeDebugResources' Crunching Cruncher....png failed
"The question then arises . . . "
Can "edition" be used to mean "the act of editing/changing something"?
What should I use: 'composed of' or 'composed from'?
What's the meaning of 'sorry lot' in Albert Einstein's quote?