What kind of list? I only know of a root certificate store.
The only way I can think of that a chain doesn’t need to chain 100 % up to the top if one of the intermediate certificates is also a root certificate (which is in the root certificate store of the browser/client).
That’s possible because any self signed root certificate can also be cross-signed by another root certificate. So you’d end up with two certificates with the same CN and public key:
- Public key X with common name Y, signed by private key X (i.e., self signed root certificate, issuer and common name is the same);
- Public key X with common name Y, signed by private key Z (i.e., cross signed intermediate certificate where Z corresponds with the key from the root certificate which has issued this cross signed certificate).
So if you have an end leaf certificate signed by the private key X (with the corresponding issuer of course), the client also has two options:
- check the chain up to the certificate X and check if it is in its root certificate store. If it finds the self signed root certificate X, it’s fine. If not, it has to continue:
- check the chain up to the certificate Z and check if it is in its root certificate store.
As you can see above, the client always checks up to a root certificate, even if it’s only “half way” up the chain.