An intermediate certificate is a subordinate certificate issued by the trusted root certificate authority and provided to certificate providers to give them the authority to issue end-entity (SSL) server certificates. The result is a certificate chain that begins at the trusted root CA, through the intermediate and ending with the SSL certificate issued to you. Such certificates are called chained root certificates.
Creating certificates directly from the CA root certificate increases the risk of root certificate compromise, and if the CA root certificate is compromised, the entire trust infrastructure built by the SSL provider will fail. The usage of intermediate certificates for issuing SSL certificates to end entities, therefore, provides an added level of security. You must install the intermediate certificate in your Web server along with your issued SSL certificate to complete the trust chain and allow the certificate to be effective.
A certificate authority or certification authority (CA) is an entity that issues digital certificates such as Geotrust, Symantec and Comodo just to name a few.
SSL (Secure Sockets Layer) is a standard security technology for establishing an encrypted link between a server and a client—typically a web server (website) and a browser; or a mail server and a mail client.
There are two types of CAs: root CAs and intermediate CAs.
In order for a digital certificate to be trusted, that certificate must have been issued by a CA that is trusted by the corresponding web browser (Chrome, Mozilla etc.) Browsers will only trust certain Certificate Authorities and therefore will only trust certificates that have been signed by such CA’s.
If the certificate was not issued by a trusted CA, the connecting web browser will then check if the certificate of the issuing CA was issued by a trusted CA until either a trusted CA is found (and then a secure connection will be established) or the device will display an error message explaining that the certificate is not trusted.
A Root CA is one of the top level certificate authorities, it signs certificates for other certificate authorities. To prove the authenticity of a certificate signed by one of the 2nd or 3rd level CAs, an intermediate CA file is required.
An intermediate authority is a certificate issuer that has itself been issued by a root or another higher level intermediate authority.
Any CA can be an “intermediate CA”. Because “being intermediate” is defined by how the verifier sees it.
When a certificate being validated, the signature, which has been generated over that certificate by the CA that emitted the certificate is verified.
This signature is verified against the CA public key. If you know the CA public key “inherently” (e.g. it is one of the CA public keys distributed with the operating system), then the CA is a trust anchor, also known as root CA.
On the other hand, if you know the CA public key only through validation of a CA certificate (a certificate issued to that CA by another CA), then the CA is deemed “intermediate”. One can see the name “intermediate” as describing where the CA is in the chain of trust: the trust anchor is at the beginning, the end-entity is obviously at the end and anything in-between is “intermediate”.
Thus, in the SSL case, it would depend on which certificate chain the server sends – the last one is the root, all others are intermediate.
Example of an SSL Certificate chain
Fore examples sake, let’s say that you purchased a certificate from the ‘Awesome Authority’ for the domain “example.com”.
‘Awesome Authority’ is not a root certificate authority, which means it’s certificate is not explicitly trusted by your web browser as it is not directly embedded in your browser.
(1) SSL Certificate – Issued to: example.com; Issued by: ‘Awesome Authority’
(2) Intermediate Certificate 1 – Issued to: ‘Awesome Authority’; Issued by Intermediate Awesome CA Alpha
(3)Intermediate Certificate 2 – Issued to: Intermediate Awesome CA Alpha; Issued by Intermediate Awesome CA Beta
(4)Root Certificate – Issued to Intermediate Awesome CA Beta by The King of Awesomeness
The King of Awesomeness is a Root CA, its certificate is directly embedded in your web browser and can be explicitly trusted.
In this example, SSL certificate chain includes 4 certificates.
Certificate (1) is your end-user SSL certificate, the one you purchased from the Awesome Authority.
Certificates (2) and (3) are called intermediate certificates. Certificate (4), the one at the top of the chain, us called root certificate.
When you install your end-user certificate for example.com, you may need to bundle all of the intermediate certificates and install them along with your SSL certificate however this changes on a server by server basis. In a lot of instances, there will only be one intermediate certificate that needs to be installed and this will be suffice to link your SSL to the root certificate. The use of two intermediates is an added level of security certain CA’s decide to implement.
If the SSL certificate chain is broken, your certificate will not be trusted by some devices.
‘What Is An Intermediate Certificate’ is licensed under a Creative Commons Attribution 4.0 International License. You have permission to republish this article with attribution to the author and Blog.trustico.com.