Root CA Certificate vs. Intermediate CA Certificate

Many individuals have the false perception about the root certificate and intermediate certificate. We have covered the basic perception of both root and intermediate certificates and their roles in the certificate chain.

We all know the importance of SSL Certificate prevailing for online business and reputation of websites. If we look deep into SSL security techniques, it depends on lots of factors like RSA key, root chain, SHA algorithm, encryption length etc. Today we are going to discuss on one of the key factors like Root certificate and Intermediate certificate. Generally, there are two types of certificate authorities like the Root CA and the intermediate CA.

Many individuals have the false perception about the root certificate and intermediate certificate. We have covered the basic perception of both root and intermediate certificates and their roles in the certificate chain.

Root Certificate:

Root certificate is a part of public key infrastructure (PKI) and it can be a self-signed or unsigned public key certificate. Certificate authority issues numerous types of digital certificates and the Root certificate is on the top of the certificate hierarchy. Digital certificates follow a chain of trust and the top anchor (a trusted and authoritative entity) of this chain is Root CA (certificate authority). All certificates below the root certificate put trust into the root certificate and the public key of the root certificate is used to sign other certificates. Many software applications also believe or inherit the reliability of this root certificate like browser and other services verifies the SSL/TLS connections on the basis of root certificate trustworthiness. At the current time, many CA issues root certificates, which are also updated at regular intervals in Windows OS (operating systems). In the below image, you can see that certificate “Issued To” and “Issued by” is the same certificate authority means the CA is also playing a role of the root certificate authority.

Intermediate Certificate:

With the increase of PKI responsibility, the number of root CAs has been replicated, but in the end, it is not practical to have many Root CAs as it could lead to fraud and management issues. In that case, the concept of Intermediate certificate authority has been evolved. The Root Certificate authorities have delegated their tasks to Intermediate CAs. As a result, there can be more than one Intermediate CAs. An intermediate certificate is not a self-signed certificate but works as a substitute for a root certificate because a Root certificate has its own security layers assuring that its keys remain unobtainable.

Intermediate certificate plays a “Chain of Trust” between an end-entity certificate and root certificate. In Windows OS, there will be separate tabs like Trusted Root certificate authorities and Intermediate certificate authorities seen in the local computer account console.

console

SSL Certificate Authorities (i.e. Digicert, GeoTrust, Comodo etc.) use the intermediate certificates and users have to install the intermediate certificate once. That will tell browsers, mobile, and apps that the SSL certificate is a trusted one. From the below image of the Firefox browser, it shows that how the Intermediate certificate path looks in the certification hierarchy.

All major Certificate Authorities use intermediate certificates because of the additional security level. The Root certificate keys could make all certificates unreliable once it is exploited. Many certificate authorities keep their root certificate offline to protect their keys.

Root certificate and intermediate certificate have their own role to play in the certificate hierarchy. Once a root certificate is exposed, there is no method or replacement plan, therefore, many CAs prefer to use of an intermediate certificate for industry best practice.

Related Posts :