Tags for this FAQ item:
SSL SSL Certificates

To what extent has this article answered your question?

Rated 3 stars, based on 18 votes

What are root and intermediate SSL certificates?

Last updated: 07/06/2018

This article explains what root and intermediate SSL certificates are, and where to download them.

SSL security is built upon a Chain of Trust emanating downwards from the Certificate Authority (CA), the certificate's emitter (GlobalSign, Comodo, Geotrust), to your own certificate, that is accepted by a browser because it contains the Certificate Authority's digital signature, thus validating it. The identity of CA's is built-in in web browsers through the addition of root certificates. Lacking a CA's root certificate, no browser would know whether to accept an SSL certificate issued by that CA.

End users do not need to update the certificates that are trusted by their browser. Browser vendors such as Mozilla, Google or Microsoft ensure that newer versions of root certificates are automatically included in browser updates.

As a server administrator, you may have to install new certificates occasionally. Windows Server for instance ship with a certain number of certificates pre-installed, just like their desktop counterparts, but updates may be needed, for example to migrate from older SHA-1 certificates to more secure SHA-2 versions. Certain certificate vendors, GlobalSign for instance, have a single certificate root, whereas others, like GeoTrust, have different root certificates for different certificate types. Linux webservers such as Apache, Lighttpd and Nginx do not ship with root certificates at all, so manual installation will be needed to avoid errors.

Certificate Authorities are bound to respect very strict security guidelines to ensure their certificates do not get compromised. That is way each CA's root certificate is jealously guarded, and is not used to sign end users' certificates directly. Rather, all CA's make use of intermediate certificates that have been signed by the root certificate, and those in turn are used to validate end users' certificates. Most CA's have one intermediate certificate for each certificate type they offer. In the unlikely event one of these intermediate certficates should get compromised, certificates depending on another intermediate certificated would still be valid.

When visiting a website secured by HTTPS, it's fairly easy to view all SSL certificate information by clicking the padlock icon in your address bar, and hence selecting the certificate details. You'll find www.kinamo.be's certificate details below to illustrate this.

You will notice that this certificate is an Extended Validation certificate that was only issued after an in-depth audit. Going up in the certificate hierarchy, the certificate was signed by the Intermediate Certificate, GlobalSign Extended Validation SSL CA - SHA256 - G3, which in turn was issued and signed by GlobalSign's root certificate, GlobalSign Root CA - R3.

Kinamo SSL certification path

Since intermediate certificates vary according to your type of certificate, you should always install the corresponding certificates on your web server. In absence of intermediate certificates, your visitor's web browsers won't accept your certificate, since there's no uninterrupted chain of trust. It's a common "Incomplete chain" error.

You'll find all needed certificates on each Certificate Authority's website, usually bundled in one file, for use on Apache for instance, or as separate downloads, for use in Microsoft IIS. Alternatively, save yourself some time and download all root and intermediate SSL certificates you need from Kinamo's Certificate Download page.