Why www.facebook.com has 2 certificates for their HTTPS Web site?

To understand why www.facebook.com has 2 certificates, let's use the "keytool -printcert" command print out owners and issuers of those certificates:

C:\Users\fyicenter> keytool -printcert -file facebook.pem

Certificate[1]:
Owner: CN=www.facebook.com, O="Facebook, Inc.", L=Palo Alto,
   ST=California, C=US
Issuer: OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97
   VeriSign, OU=VeriSign International Server CA - Class 3,
   OU="VeriSign, Inc.", O=VeriSign Trust Network
Serial number: 165f9ff89d0b31a887537cdef24fe04
Valid from: Wed Jun 20 20:00:00 EDT 2012 until: Tue Dec 31 18:59:59 EST 2013
Certificate fingerprints:
      MD5:  8E:74:0C:F8:E5:50:76:EC:04:F0:D9:C5:B7:AD:B4:3A
      SHA1: 9C:53:B1:A4:16:F9:58:79:1B:DA:D0:28:A9:FA:5D:65:4C:5F:81:52
      SHA256: 51:96:D4:16:59:47:E8:FB:83:B6:E3:5B:CA:3B:1A:61:43:49:E4:
         8A:48:D8:9A:23:17:60:A2:C4:40:25:28:BA
      Signature algorithm name: SHA1withRSA
      Version: 3

Extensions:

#1: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: ocsp
   accessLocation: URIName: http://ocsp.verisign.com
]
]

#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:false
  PathLen: undefined
]

#3: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://SVRIntl-crl.verisign.com/SVRIntl.crl]
]]

#4: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [2.16.840.1.113733.1.7.23.3]
[PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.1
  qualifier:
  0000: 16 1C 68 74 74 70 73 3A   2F 2F 77 77 77 2E 76 65  ..https://www.ve
  0010: 72 69 73 69 67 6E 2E 63   6F 6D 2F 72 70 61        risign.com/rpa

]]  ]
]

#5: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
  clientAuth
]

#6: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
  DigitalSignature
  Key_Encipherment
]

#7: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: www.facebook.com
  DNSName: facebook.com
]


Certificate[2]:
Owner: OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,
   OU=VeriSign International Server CA - Class 3, OU="VeriSign, Inc.",
   O=VeriSign Trust Network
Issuer: OU=Class 3 Public Primary Certification Authority, O="VeriSign,
   Inc.", C=US
Serial number: 46fcebbab4d02f0f926098233f93078f
Valid from: Wed Apr 16 20:00:00 EDT 1997 until: Mon Oct 24 19:59:59 EDT 2016
Certificate fingerprints:
      MD5:  AC:D8:0E:A2:7B:B7:2C:E7:00:DC:22:72:4A:5F:1E:92
      SHA1: D5:59:A5:86:66:9B:08:F4:6A:30:A1:33:F8:A9:ED:3D:03:8E:2E:A8
      SHA256: 00:BD:2B:0E:DD:83:40:B1:74:6C:C3:95:C0:E3:55:B2:16:58:53:
              FD:B9:3C:52:DA:DD:A8:22:8B:07:00:2D:CE
      Signature algorithm name: SHA1withRSA
      Version: 3

Extensions:

#1: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:true
  PathLen:0
]

#2: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://crl.verisign.com/pca3.crl]
]]

#3: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [2.16.840.1.113733.1.7.1.1]
[PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.1
  qualifier:
  0000: 16 1C 68 74 74 70 73 3A   2F 2F 77 77 77 2E 76 65  ..https://www.ve
  0010: 72 69 73 69 67 6E 2E 63   6F 6D 2F 43 50 53        risign.com/CPS

]]  ]
]

#4: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
  clientAuth
  2.16.840.1.113730.4.1
  2.16.840.1.113733.1.8.1
]

#5: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
  Key_CertSign
  Crl_Sign
]

#6: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
NetscapeCertType [
   SSL CA
   S/MIME CA
]

If you read the owner and issuer information of both certificates, you can see that:

• The first certificate is owned by www.facebook.com and signed by "VeriSign International Server CA - Class 3".
• The second certificate is owned by "VeriSign International Server CA - Class 3" and signed by "Class 3 Public Primary Certification Authority," of "VeriSign, Inc.".

Now we know why www.facebook.com provides 2 certificates. The first certificate is Facebook's own certificate, but it is not signed by a trusted root CA. It is signed by the second certificate owned by an intermediate CA, which is signed by a trusted root CA.

In other word, www.facebook.com provides its own certificate and the signer's certificate, which signed by a trusted root CA. www.facebook.com is doing this to show you it can be trusted indirectly through this certificate chain (or certificate path).

⇒ Split Certificate Chain File

⇐ "keytool -printcert" Command Examples - Download Certificate

⇑ Managing Certificates with Java Keytool

⇑⇑ Java Keytool: Certificate Management Tool