We all know the importance of SSL security prevailing for online business and reputation of websites. If we look deep into SSL security technicise, it depends on lots of factors like RSA key, root chain, SHA algorithm, encryption length etc. Today we are going to discuss on one of the key factors like Root certificate and Intermediate certificate. Generally, there are two types of certificate authorities like the Root CA and the intermediate CA. Many individuals have the false perception about the root certificate and intermediate certificate. We have covered the basic perception of both root and intermediate certificates and their roles in the certificate chain.
Root certificate is a part of public key infrastructure (PKI) and it can be self-signed or unsigned public key certificate. Certificate authority issues numerous types of digital certificates and Root certificate is on the top of the certificate hierarchy. Digital certificates follow a chain of trust and the top anchor (a trusted and authoritative entity) of this chain is Root CA (certificate authority). All certificates below root certificate put trust into the root certificate and the public key of root certificate is used to sign other certificates. Many software applications also believe or inherit the reliability of this root certificate like browser and other services verifies the SSL/TLS connections on the base of root certificate trustworthiness. At the current time, many CA issues root certificates, which are also updated at regular interval in Windows OS (operating systems). In the below image, you can see that certificate “Issued to” and “Issued by” is the same certificate authority means the CA is also playing a role of root certificate authority.
With the increase of PKI responsibility, the number of root CAs has been replicated, but at the end, it is not practical to have many Root CAs as it could lead to fraud and management issues. In that case, the concept of Intermediate certificate authority has been evolved. The Root Certificate authorities have delegated their tasks to Intermediate CAs. As a result, there can be more than one Intermediate CAs. Intermediate certificate is not a self-signed certificate, but works as a substitute of root certificate because Root certificate has its own security layers assuring that its keys remain unobtainable.
Intermediate certificate plays a “Chain of Trust” between an end entity certificate and root certificate. In Windows OS, there will be separate tabs like Trusted Root certificate authorities and Intermediate certificate authorities seen in local computer account console.
SSL Certificate Authorities (i.e. Symantec, GeoTrust, Comodo etc.) use intermediate certificate and users have to install the intermediate certificate for once. That will tell browsers, mobile and apps that the SSL certificate is trusted one. From the below image of the Firefox browser, it shows that how the Intermediate certificate path looks in the certification hierarchy.
All major Certificate Authorities use intermediate certificates because of the additional security level. The Root certificate keys could make all certificates unreliable once it is exploited. Many certificate authorities keep their root certificate offline to protect their keys.
Root certificate and intermediate certificate have their own role to play in certificate hierarchy. Once a root certificate is exposed, there is no method or replacement plan, therefore, many CAs prefer to use of intermediate certificate for industry best practice.