Root Certificate vs Intermediate Certificates: What’s The Difference?

Root Certificate vs Intermediate Certificates: What’s The Difference?. Public key infrastructure or PKI supports a lot of security based services, which include data secrecy, data integrity and authentication of the end entity. Basically, all of these services depend on the right utilization of public/private pairs of the key. In this key pair, the public component is given through a public key certificate, along with a suitable algorithm. It is used for verifying digital signatures, encryption data, or both of them.

A public key certificate is a signed statement used for making a link between a public key and an identity key. The unit that gives a witness for this association and does signature in this certificate is called the issuer and the character whose public key is being established is known as the subject of the certificate. For the association of the identity and the public key, a chain of certificates is utilized. The certificate chain is also known as the certification path or chain of trust.

With our article Root Certificate vs Intermediate Certificates: What’s The Difference? Let’s introduce what a certificate chain is.

What is a Certificate Chain

A list of certificates that is followed by one or multiple certificates with the below given properties:

  • The issuer of every certificate matches up with the subject of the following certificate present in the list.
  • Each certificate must be signed up by the secret key in correspondence to the upcoming certificate present in the chain.
  • The list’s last certificate is a trust anchor. It is a certificate that you can trust as it is given to you through a reliable process.
  • A trust anchor is a CA certificate utilized by a dependable party as the initiation point for the validation of the path.

The certificate chain or the chain of trust in RFC 5280 is known as the certification path. In simple words, the chain of trust directs to your SSL certificate and how it is associated with a trustworthy certificate authority or CA. When an SSL certificate is to be trusted, then it needs to be traced to the trusted root, which implies all certificates present in the chain, such as server, root and intermediate, are required to be trusted suitably.

Active Directory chain certificates

There are three main parts of the chain of certificates:

Root certificate: It is a digital certificate belonging to the authority issuing the certificate. It is available as pre downloadable in maximum browsers and is kept in what is known as a trust store. The root certificates are safeguarded by CAs.

Intermediate certificate: Similar to the branch of trees, the intermediate certificate is the branch of the root certificate. They are like middlemen between the root certificate and the server certificate that is issued to the public. In a certificate of the chain, there must be a minimum of one intermediate certificate, but it can be more than one.

Server certificate: It is a certificate that is given to a specified domain that a user needs coverage for.

Now, what’s the difference between a root certificate and an intermediate certificate?

If you are trying to get an SSL certificate for your website, then you will come across root certificates and intermediate certificates. There is a high chance that you will get confused with these terms. To know the difference that exists between them, you need to know about both terms in detail.

What is Root certificate and why it is important

A root certificate, also known as a trusted root, is one of those certificates delivered by a trusted certificate authority like Sectigo or Digicert. It is a special kind of X.509 digital certificate that is utilized for giving out other certificates such as intermediates and another end user SSL certificate to prevent all risks of getting negotiated. There is more than one root certificate in each CA. A lot of time, a varied root certificate comprises diverse attributes.

In any SSL protocol, the root certificate is the most important part because any certificate signed with private key data is trusted by every browser. Hence extra precaution is taken to ensure that a valid CA actually issues a root certificate. In any site, it is the root certificate that is responsible for establishing the trust factor.

A valid CA has to go through various verifications along with some compliance processes to become trustworthy for the issuance of root certificates. Thus, it is the root certificate through which the trust anchor for a CA is recognized, which in turn correlates directly to websites that use signed safety certificates offered by CA.

What is Intermediate certificate

Issuance of SSL certificates through root certificates to the end users can prove to be dangerous and unreasonable as it can result in management issues and kinds of fraud. To overcome such issues, CA will offer an extra layer of security called an intermediate certificate. This certificate acts as a chain of trust between the root certificate and the end entity SSL certificate.

Even if a root certificate is enough to execute SSL security, most CAs look for intermediate certificates to meet the required qualifications needed for issuing a CA. It is mainly applicable for a novice certifying authority not having the required qualification for the issuance of a root certificate. Thus, it uses another CA service and links the certificates to any valid root certificate, thereby forming a chain of trust.

A single trustworthy root certificate is linked to various other intermediate certificates along with cross certificates, thereby allowing the users to get a valid chain of trust for SSL execution. After CA receives the required validation and is considered trusted for issuing its own root certificate, it replaces the trust anchor with its own root certificate. Thus, we can see intermediate certificates bridge the gap that exists between an intermediate CA and a trustworthy root certificate. They assist the CA companies in finding their footing and assist in establishing a customer base. On proper validation, they issue their own root certificates that complete the trust chain without other CA assistance.

Furthermore, in Windows OS, there are separate tabs like root certificate authorities and intermediate certificate authorities, which you can find in the account console of any local computer.

Features of Intermediate Certificate

Some other reasons for using intermediate certificates are:

  • You can replicate intermediate certificates in high numbers without conceding the security framework and assisting in the establishment of a chain of trust.
  • They assist in the measurable execution of the SSL network.
  • Maximum CA makes use of an intermediate certificate as it makes an addition of an extra layer of security and assists in managing the security events gracefully. When there is a security attack, only the intermediate certificate is revoked rather than revoking the root certificate and its related certificate.

Root Certificate vs Intermediate Certificates - Key Differences

  • Root certificates are the certificate authority who possess one or more trustworthy roots that are furthermore stored on maximum web browsers, and intermediate CA is certificate authorities who provide intermediate roots.
  • Root certificates do not have roots in trust stores of browsers but intermediate roots chains with trustworthy third party roots. It is also called cross signing.
  • Root CAs are kept offline and only issue certificates to Intermediate CAs. They can not issue certificates to end users. Intermediate CAs can issue certificates to other Intermediate CAs, or to end users.
  • A root CA is a certification authority that has one or more trusted roots. In short, they have roots in trusted stores in all major browsers. Intermediate CAs are certification authorities that issue an intermediate root certificate. They have no roots in trusted browser stores, instead their intermediate roots chain back to a trusted third party root. This is sometimes called cross signing.
  • Root CA does not offer SSL certificates from the roots, rather, they make the addition of an extra layer of security by offering intermediates and then signing certificates by utilizing the issued intermediates. This assists in avoiding all damages because of the mis issuance of any security threat.
  • In case of a revocation, there is no need to revoke root certificates, but the revocation of intermediate assists in solving problems as it mistrusts all linked intermediates.
  • Compared to intermediate certificates, installation of the root certificate can be a complex process .
  • The root certificate has longer lifespan of 25 years whereas intermediate CAs have just about one or two years of validity.

Root Certificate vs Intermediate Certificate - Comparision Table

Features Root Certificate Intermediate Certificate
Public Key Infrastructure
Security Layer
Signed In
Reliable CAs
Root CAs
Value in Trust Hierarchy
Access By
Root Store
Private Key
Certificate Information
Remote PC, Email message, Software publisher, etc.
Remote PC and issuance policies.
Storage Security Protocol
Hardware Security Module
SSL Installation Folder
Validify Lifespan

Root Certificate vs Intermediate Certificates: What's The Difference? Conclusion

So, even though both root certificates and intermediate certificates serve the same function, they are different. Root CAs remain offline and only give a certificate to intermediate CA and not to end users, as their compromise can destroy the PKI. Intermediate CAs are like the online version of Root CAs. Intermediate CAs can give certificates to other intermediate CA or to other end users, no matter what is the use they require it for. Intermediate CAs are also a little different than Root CA as their initial certificate is cross signed in contrast to the root certificate, which is self signed. Once the trust is established, the intermediate CA is given its own certificate and does not have to depend on any cross signed certificate.

The whole chain of trust of a PKI will be broken when there is no root certificate or intermediate certificate. Intermediate CA are required for end user communication, but Root CAs are the base of the chain of trust. While anticipating your own PKI design, ensure you are using both root certificates and intermediate certificates for maximum security.

Avatar for Hitesh Jethva
Hitesh Jethva

I am a fan of open source technology and have more than 10 years of experience working with Linux and Open Source technologies. I am one of the Linux technical writers for Cloud Infrastructure Services.

0 0 votes
Article Rating
Notify of
Inline Feedbacks
View all comments
Would love your thoughts, please comment.x