What are root and intermediate SSL certificates?

Category: All about SSL certificates

SSL SSL Certificaten

This article explains to you what root and intermediate certificates how they work.

What are root certificates?

In a nutshell:

  • A root certificate is highest level in the certificate hierarchy.
  • Root certificates are issued by Certificate Authority (CA), such as GlobalSign, Sectigo or DigiCert.
  • The root certificate is installed by default in operating systems and browsers, so they are automatically considered trustworthy.
  • Private keys of root certificates are extremely well protected because a compromised root certificate would compromise the entire certification chain.

Without a root certificate, the browser would have no reason to accept an SSL certificate issued by the CA.

End users should not normally modify the certificates that come with their browser. Browser developers such as Mozilla, Google, Microsoft and Apple (Safari) ensure that when updates are made, the obsolete or expired certificates are automatically replaced with newer ones.

Therefore, it is also important to ensure that you have an up-to-date operating system with the very latest security updates. If your operating system is not up to date, you may sometimes have an older root certificate with the result that newer certificates are considered "not correct" when in fact they are!

What are intermediate certificates?

  • An intermediate certificate is issued by a root CA and serves as an intermediate layer between root and end-user certificates.
  • They help mitigate risk because root certificates are rarely used directly to sign end-user certificates.
  • Intermediate certificates are trusted by servers and clients if the root certificate is present in the system.

Certificate Authorities must meet very strict security requirements to ensure that their certificates are not compromised. In addition to the current root certificate, whose private key is tightly guarded, and which is not used to directly sign SSL certificates, all certificate issuers use intermediate or intermediate certificates, often one per product.
Should, which is extremely unlikely, the private key of one of these intermediate certificates be hijacked, it still guarantees the security of certificates that depend on another intermediate certificate.

Since intermediate certificates vary from product to product, it is always recommended to install them on your server before installing your own certificate.

If not, or if the intermediate certificate is not correct, your visitors' browsers may not accept the installed SSL certificate. This is a common so-called "Incomplete Chain" error.

Where can I find root and intermediate certificates?

You can download the different certificates on the websites of the Certificate Authorities.

  • GlobalSign AlphaSSL intermediate certificates can be downloaded here.
  • Sectigo intermediate certificates for popular products such as PostivieSSL can be downloaded here.

Related articles

Apache - Install SSL Certificate

This article assumes you've received your certificate from the Certificate Authority, and that you wish to install it on your...

Read more

How can I move (transfer) a .com, .net or .org domain name?

If you would like to move (transfer) a domain name (typically com, .net or .org) from your current registrar to...

Read more

How can I publish my website via FTP?

If you use shared web hosting at Kinamo, either Linux hosting or Windows hosting, you can use an FTP program...

Read more

Need extra help?

Were not all your questions answered?
Don't worry, we will be happy to help you via a support request!

Kinamo

Select your language