At first glance, an SSL certificate seems straightforward. You install it on your server to secure your visitors’ sensitive data, and it works flawlessly until expiration. Most of the web owners rarely delve deeper into SSL/TLS technical aspects. They let professionals handle the certificate configuration and renewal. Many won’t even care about the difference between root certificates and intermediate certificates, but if you want to install your cert by yourself, you should know the mechanism behind it. 

The SSL chain of trust

Users without prior experience who prefer to install an SSL certificate by themselves are in for a surprise. The moment they open the ZIP archive folder which the CA sent via email, they discover not one, but a couple of SSL files. 

One is the server certificate, issued specifically for your domain, other is the intermediate certificate that links your server certificate to the CA’s root certificate. All together, they form the SSL chain of trust – an ordered list of certificates that allow the receiver (a web browser) to verify that the sender (your secure server) and the CA are reliable. If one component in the chain is missing, browsers won’t trust the server SSL certificate and will issue an HTTPS warning.

Wait, what? Server certificates, intermediate certificates, root certificates, chain of trust, it’s all a bit too much for novices. If you’re one of them don’t worry, in this article, we’ll explain the difference between root certificates and intermediate certificates and why they are crucial to how the SSL/TLS works. But first, let’s come back to the chain of rust and look at the whole picture.

The image below illustrates how the chain of trust functions:

SSL Chain of trust

Image credit: Yanpas – CC BY-SA 4.0

You can also inspect the SSL chain trust by clicking the padlock of any website and selecting the Certification Path tab. If you look at SSL Dragon’s Certification path, you’ll see from top to bottom, the root certificate, intermediate certificate, and the server certificate (SSL Dragon uses a Cloudflare SSL certificate as part of CDN service).

SSL Chain of Trust

Now that you know about the chain of trust, let’s take each element and put it under the microscope.

What is a Root SSL Certificate?

A root SSL certificate sits at the top of the trust hierarchy and is the backbone of Public Key Infrastructure. Root SSL certificates are signed by trusted Certificate Authorities.  Who decides which CA is trustworthy? In a nutshell, browsers, and applications because all of them include a root store in their installation pack.  

A root store is a list of pre-downloaded, trusted root certificates from various CAs. For instance, if the CA root certificate isn’t included in Google’s root store, Chrome will flag the website using said CA as not secure. You can read more about Certificate Authorities and who regulates them in this extensive article.

A root certificate is used to issue other certificates. If the private root keys were stolen, cyber-criminals would forge their own trusted certificates. As a result, all the existing certificates singed by the hacked CA would have to be revoked. If something goes wrong with the root certificate, the CA is swiftly removed from all the root stores and ceases to exist.

To avoid the unthinkable, CAs use rigorous security procedures. They store the CA key in a special Hardware Security Module. Moreover, the physical computing device resides in a locked vault with steel doors and guards.  

Unlike commercial certificates, root certs have a much longer lifespan. Here’s the validity period of Sectigo (formerly Comodo CA) ECC. As you can see it expires in the distant 2038.

Root Certificate Expiration Date


What is an intermediate SSL certificate?

Issuing an SSL Certificate to the end-user directly from the root certificate is too dangerous. The roots are extremely valuable. To further protect themselves the CAs, came up with another layer of security – the intermediate certificate.

The root CA signs the intermediate root with its private key, and in turn, the intermediate CA uses its private key to issue SSL certificates to the general public. The intermediate certificate or certificates (some CAs use several intermediate certs between the root and end-user certificate) act as a link of trust. 

Browsers need them to identify the root CA and accept the server certificate. That’s why your SSL installation folder may contain an intermediate certificate, along with your primary cert. Intermediate certificates have also a longer validity than end-user SSL certificates, although it’s shorter than the validity of a root certificate.

Intermediate certificate validity

Final words

Hopefully, you now have a complete grasp of what really makes a digital certificate so secure. By understanding what is the difference between root certificates and intermediate certificates, you’ve solved the SSL/TLS puzzle. The SSL chain of trust is one of the reasons why SSL certificates are ubiquitous and efficient. The other is the high-end encryption, impossible to crack by even the brightest hacker.