Live Chat
Same Certs
Cheapest Price Seal
Less Price

Root CA Certificate vs. Intermediate CA Certificate

We all know the importance of SSL security prevailing for online business and reputation of websites. If we look deep into SSL security technicise, it depends on lots of factors like RSA key, root chain, SHA algorithm, encryption length etc. Today we are going to discuss on one of the key factors like Root certificate and Intermediate certificate. Generally, there are two types of certificate authorities like the Root CA and the intermediate CA. Many individuals have the false perception about the root certificate and intermediate certificate. We have covered the basic perception of both root and intermediate certificates and their roles in the certificate chain.

Root Certificate:

Root certificate is a part of public key infrastructure (PKI) and it can be self-signed or unsigned public key certificate. Certificate authority issues numerous types of digital certificates and Root certificate is on the top of the certificate hierarchy. Digital certificates follow a chain of trust and the top anchor (a trusted and authoritative entity) of this chain is Root CA (certificate authority). All certificates below root certificate put trust into the root certificate and the public key of root certificate is used to sign other certificates. Many software applications also believe or inherit the reliability of this root certificate like browser and other services verifies the SSL/TLS connections on the base of root certificate trustworthiness. At the current time, many CA issues root certificates, which are also updated at regular interval in Windows OS (operating systems). In the below image, you can see that certificate “Issued to” and “Issued by” is the same certificate authority means the CA is also playing a role of root certificate authority.

Root CA Certificate

Intermediate Certificate:

With the increase of PKI responsibility, the number of root CAs has been replicated, but at the end, it is not practical to have many Root CAs as it could lead to fraud and management issues. In that case, the concept of Intermediate certificate authority has been evolved. The Root Certificate authorities have delegated their tasks to Intermediate CAs. As a result, there can be more than one Intermediate CAs. Intermediate certificate is not a self-signed certificate, but works as a substitute of root certificate because Root certificate has its own security layers assuring that its keys remain unobtainable.

Intermediate certificate plays a “Chain of Trust” between an end entity certificate and root certificate. In Windows OS, there will be separate tabs like Trusted Root certificate authorities and Intermediate certificate authorities seen in local computer account console.

console

SSL Certificate Authorities (i.e. Symantec, GeoTrust, Comodo etc.) use intermediate certificate and users have to install the intermediate certificate for once. That will tell browsers, mobile and apps that the SSL certificate is trusted one. From the below image of the Firefox browser, it shows that how the Intermediate certificate path looks in the certification hierarchy.

Intermediate CA Certificate

All major Certificate Authorities use intermediate certificates because of the additional security level. The Root certificate keys could make all certificates unreliable once it is exploited. Many certificate authorities keep their root certificate offline to protect their keys.

Root certificate and intermediate certificate have their own role to play in certificate hierarchy. Once a root certificate is exposed, there is no method or replacement plan, therefore, many CAs prefer to use of intermediate certificate for industry best practice.

Cheap SSL Shop
4.8/5 overall satisfaction rating

Based on 3317 ratings from actual customers

Customer Reviews
"Not a new customer just a new account due to a name change. Love your prices and service. Thanks for everything! Jimmy - Prestacarts Global Commerce"
Jimmy Ray Warren J / TX, United States
"I have to say your tech "Mike" went out of his way to help me setup the CSR for our SSL. I am not a techie, and Mike was extremely helpful and patient with me. You need to hire more support personnel like Mike! Great job Mike!! Thank you for all your help!! Jana"
Jana K
"Been using you guys for several years. Clean built website with a great UI/UX that lets me get to what I need to buy quickly. I couldn't ask for more. Thanks!"
Devin N
5 Star
80%
4 Star
13%
3 Star
3%
2 Star
2%
1 Star
2%