Get your FREE copy of "The Ultimate Guide of SSL"

Download Ebook

Root Certificate vs. Intermediate Certificates: Learn the Difference Among the Two

Leaf SSL/TLS Certificate Installed on the Website Is a Small Part of a Certificate Chaining

Usually, whenever you see an SSL/TLS Certificate, you may think it’s quite straightforward. You simply purchase from an SSL/TLS Certificate provider, install it on your website for keeping your website visitor’s sensitive data secure, and it works effortlessly till it expires. It’s no hidden that most website owners don’t care about the certificate configuration or its renewal and let the professionals handle it alone.

Likewise, many are not even bothered about knowing the difference between the root certificates and intermediate certificates. But, if you’re one of those who likely gong to install your purchased SSL/TLS Certificate on your own, then it’s recommended that you go through this article and learn what’s certificate chains, and the difference among root certificates vs. intermediate certificates.

So, without delaying it further, let’s get into it.

If you’re installing an SSL/TLS Certificate on your own, and you’re a first-timer, then it’s not new that you may get surprised for a moment apart from the installation process, mainly because the ZIP archive folder which you receive in an email from the CA, consists of different SSL files.

Moreover, the file received by the CA via email includes the server certificate, which is specifically for your domain, and the other is the intermediate certificate, which helps you link your server’s certificate with the CA’s root certificate.

Also, if you’re thinking that these server certificates, root certificates, intermediate certificates, the chain of trust are getting onto your nerves, then go through this article, and you’ll learn about these certificates along with other things such as difference among the root certificates and intermediate certificates while learning what makes it so crucial for the working of the SSL/TLS. But, before jumping into these, let’s first look into the chain of trust and then the whole picture.

What’s SSL Chain of Trust?

Put simply, the SSL chain of trust means the way it links back to a trusted Certificate Authority. It helps your browser know to trust an installed SSL/TLS Certificate of the website you’re visiting. In other words, an installed SSL/TLS certificate must be traceable to its trusted root for proving its genuineness.

Moreover, all the certificates in the chain, namely, end-entity, intermediate, and root certificate must be trusted appropriately. And, these three parts together are known as the chain of trust.

Here’s the below image showing the working of the chain of trust:

chain-of-trust
You can even look at this chain of trust on your website too. For that, you simply click on the padlock of the site and select the tab Certification Path.

For instance, here’s the Certificate chain of http://aboutssl.org/,

certificate-path
As you learn what’s SSL Chain of Trust, now let’s look into what’s Root Certificate, what’s Intermediate Certificate, and the difference among the two.

What’s a Root Certificate?

The root certificate, also called a trusted root, is one of the certificates issued by a trusted Certificate Authority (CA) such as Sectigo or DigiCert. Nevertheless, it’s a special type of X.509 digital certificate which is used for issuing other certificates called intermediates and further end-user SSL Certificate for avoiding the risk of getting compromised.

Also, these end-user or leaf SSL certificates, which are installed on the website, have a validity period of two years and, the root certificates have much longer. For example, take a look at the validity period of DigiCert’s EV root certificate.

certificate-root-option
Furthermore, each CA has more than one root certificate. Here’s a quick look at the root store containing the root certificate of the different CAs on my computer.
root-store
Most of the time, a different root certificate consists of different attributes. For example, COMODO (now Sectigo) roots – one is for making RSA signatures and another for ECDSA.

What’s an Intermediate Certificate?

Issuing an SSL/TLS Certificate directly from the root certificate to end-users is very dangerous as well as impractical, as it could lead to managing issues and fraud. To overcome these issues, CAs offer another layer of security known as an intermediate certificate.

Furthermore, these Intermediate certificates work as a “Chain of Trust” between the root certificate and an end-entity SSL/TLS certificate.

Also, in Windows OS, separate tabs are kept, such as Trusted Root certificate authorities and intermediate certificate authorities which can be found in an account console of local computer like below:

console-root-options
Also, these SSL Certificate Authorities like Comodo make use of the intermediate certificate for further installing the intermediate certificate for once. In return, these intermediate certificates tell browsers and apps that these installed SSL/TLS Certificates can be trusted. Lastly, these Intermediate certificates have a longer validity period compared to end-user SSL/TLS Certificates, though it has a shorter validity period compared to the root certificate.
comodo-ecc-domain-certificate

Root Certificates vs. Intermediate Certificates: Here’s the Difference

Root certificates are the Certificate Authority who owns one or more trusted roots, which are further stored on all the major web browsers. Whereas, Intermediate CAs or Sub CAs are the Certificate Authorities who offers an intermediate root.

Also, it doesn’t have roots in the browser’s trust stores, but the intermediate roots chain backs to a trusted third-party root. It’s also known as cross-signing.

Besides, Root CAs do not issue any SSL certificate directly from their roots. Instead, they add an additional layer of security by issuing intermediates and then further sign certificates using those issued intermediates, which helps in avoiding any damage due to mis-issuance or security threat.

So, in turn, if the revocation has to be done, there won’t be any need to revoke root certificates, and the revocation of intermediate can help solve the issue, as it’ll distrust all the related intermediates.

Summary

We hope you might have got an idea about what’s SSL chain of trust and how important it’s for the successful working of an SSL/TLS certificate, the root certificate, intermediate certificates, and the difference between the two, root certificate and intermediate certificate.

Related Articles:

AboutSSL’s Best Stuff

Compare Best SSLs

Choose Your Best SSL

SSL Installation Guide

s

Fix SSL Errors

SSL Coupons

Disclosure: AboutSSL appreciates your continuous support. It helps us tremendously to keep moving in the competitive SSL industry. Here most of the links which direct you to buy any SSL/TLS related service or products earns us a certain percentage of referral commission. Learn More