This article explains to you what root and intermediate certificates how they work.

What are root certificates?

In a nutshell:

• A root certificate is highest level in the certificate hierarchy.
• Root certificates are issued by Certificate Authority (CA), such as GlobalSign, Sectigo or DigiCert.
• The root certificate is installed by default in operating systems and browsers, so they are automatically considered trustworthy.
• Private keys of root certificates are extremely well protected because a compromised root certificate would compromise the entire certification chain.

Without a root certificate, the browser would have no reason to accept an SSL certificate issued by the CA.

End users should not normally modify the certificates that come with their browser. Browser developers such as Mozilla, Google, Microsoft and Apple (Safari) ensure that when updates are made, the obsolete or expired certificates are automatically replaced with newer ones.

Therefore, it is also important to ensure that you have an up-to-date operating system with the very latest security updates. If your operating system is not up to date, you may sometimes have an older root certificate with the result that newer certificates are considered "not correct" when in fact they are!

What are intermediate certificates?

• An intermediate certificate is issued by a root CA and serves as an intermediate layer between root and end-user certificates.
• They help mitigate risk because root certificates are rarely used directly to sign end-user certificates.
• Intermediate certificates are trusted by servers and clients if the root certificate is present in the system.

Certificate Authorities must meet very strict security requirements to ensure that their certificates are not compromised. In addition to the current root certificate, whose private key is tightly guarded, and which is not used to directly sign SSL certificates, all certificate issuers use intermediate or intermediate certificates, often one per product.
Should, which is extremely unlikely, the private key of one of these intermediate certificates be hijacked, it still guarantees the security of certificates that depend on another intermediate certificate.

Since intermediate certificates vary from product to product, it is always recommended to install them on your server before installing your own certificate.

If not, or if the intermediate certificate is not correct, your visitors' browsers may not accept the installed SSL certificate. This is a common so-called "Incomplete Chain" error.

Where can I find root and intermediate certificates?

You can download the different certificates on the websites of the Certificate Authorities.

• GlobalSign AlphaSSL intermediate certificates can be downloaded here.
• Sectigo intermediate certificates for popular products such as PostivieSSL can be downloaded here.