What Is an Intermediate Certificate and How Does it Work?

What Is an Intermediate Certificate

When exploring digital security, you’ll encounter the term intermediate certificate. But what is an intermediate certificate, and why is it so significant? Let’s break it down and understand how intermediate certificates fit into the SSL/TLS framework and the broader Public Key Infrastructure (PKI).


Table of Contents

  1. What is an Intermediate Certificate?
  2. How an Intermediate Certificate Works?
  3. The Importance of Intermediate Certificates in SSL/TLS
  4. Root vs. Intermediate vs. SSL Certificates
  5. Types of Intermediate Certificates
  6. How to Obtain an Intermediate Certificate
  7. Common Uses for Intermediate Certificates

What is an Intermediate Certificate?

An intermediate certificate sits between the root and the end-user certificates in the SSL/TLS certificate hierarchy. Its main job is to bridge the trust from the root certificate authority (CA) to the final certificate used by the end entity, like a website or an application. Technically, it is a file that contains a public key, a signature from the issuing authority, and other metadata.

To visualize this, think of a certificate chain. At its top is the root certificate—a trusted authority that doesn’t sign all certificates directly. Instead, it issues intermediate certificates that then issue end-user certificates. This hierarchy helps manage and secure digital certificates efficiently.


How an Intermediate Certificate Works?

Here’s how an intermediate certificate functions within the SSL/TLS protocol:

  1. Issuance: The root certificate authority (CA) issues intermediate certificates. These are not used directly on web servers but link the root CA and end entity certificates.
  2. Certificate Signing Request (CSR): When a website needs a certificate, it generates a CSR and sends it to the CA. The CSR includes information such as the public key and organizational details.
  3. Signing and Verification: The CA verifies the CSR and issues the intermediate certs (CA Bundle) and the end-user certificate. Intermediate certificates are signed with the root CA’s private key, ensuring their legitimacy.
  4. Chain of Trust: The intermediate certificate authority signs the end-user certificate. Browsers or clients can trace this certificate back through the chain to the root certificate to confirm trust.
  5. Establishing Trust: When a user connects to a secure site, their browser checks the entire chain—from the end-user certificate to the intermediate CA and finally to the root certificate. If all certificates are valid and trusted, the connection is secure.
  6. Certificate Revocation and Renewal: CAs can revoke and renew intermediate and end-user certificates if compromised or expired. Browsers check for revocation status through Certificate Revocation Lists (CRLs) or the Online Certificate Status Protocol (OCSP) to ensure the certificates are valid.

The Importance of Intermediate Certificates in SSL/TLS

Intermediate certificates are essential for several reasons:

  • Enhanced Security: By using intermediate certificates, the root CA can keep its certificate secure. If an intermediate certificate is compromised, the root certificate remains intact.
  • Efficient Management: Intermediate certificates streamline the management of large numbers of certificates. They allow for effective delegation of certificate issuance and reduce the exposure of the root certificate.
  • Flexibility and Control: With multiple intermediate CAs, organizations can create distinct certification paths for different needs. This setup allows for better control and flexibility when managing certificates.

Root vs. Intermediate vs. SSL Certificates

Understanding the distinctions between root and intermediate certificates can help you troubleshoot various SSL-related issues.

  • Root Certificates: Issued by the root CA, these are the top-level certificates stored in root stores of major browsers and operating systems. They are self-signed and establish the highest level of trust.
  • Intermediate Certificates: These are issued by the root CA or another intermediate CA. They serve as a bridge in the certification path and are used to sign end-user certificates.
  • SSL Certificates: Installed on web servers, these certificates are issued by an intermediate CA. They encrypt data between the server and the client.

Types of Intermediate Certificates

Different types of intermediate certificates include:

  • Single Intermediate CA: A straightforward CA that issues certificates for specific purposes or entities.
  • Cross-Signed Certificates: Intermediate certificates signed by multiple root CAs to ensure compatibility across different root stores.
  • Other Intermediate Certificates: Issued for specialized use cases or by various intermediate CAs with distinct roles and authorities. For instance, Sectigo issues different types of intermediate certificates for specific purposes. One example is their Code Signing Intermediate CA, which is used exclusively to issue certificates for code signing. This intermediate ensures that software and applications are verified and secure.

How to Obtain an Intermediate Certificate

CAs issue intermediate certificates to organizations that manage their own subordinate CAs. Regular users typically don’t generate or request them.

To obtain one, you must have an established relationship with a trusted CA that allows you to act as a subordinate CA.

If you’re an organization managing a Public Key Infrastructure (PKI), you can request an intermediate certificate from a CA. You’ll often need to demonstrate the security of your systems and your intent to issue certificates responsibly.

When an end-user certificate is issued, the CA will often provide a CA bundle, which includes the intermediate certificates necessary to establish a chain of trust from the end-user certificate to the root certificate. This bundle is installed on the server, and allows browsers to validate the certificate properly, even on legacy versions.


Common Uses for Intermediate Certificates

Certificate Authorities use intermediate certs to protect their root certificates while issuing certificates to clients. Here’s how they fit in:

  • Delegating Trust: Root certificates are rarely used directly because compromising a root would undermine trust in the entire CA. Intermediate certificates act as intermediaries, signing end-user certificates on behalf of the root and preserving the root certificate.
  • Certificate Chaining: When a CA issues an intermediate certificate, it links it between the root and the final certificate that a website or server uses. This chain validates the certificate’s authenticity by browsers and systems.
  • Issuing Different Types of Certificates: Intermediate certificates allow CAs to create and manage certificates for different purposes (e.g., SSL/TLS for websites, code signing, email security) without risking the root.

Where Intermediate Certificates Are Used

  • Public CA Infrastructures: Major CAs like Let’s Encrypt, DigiCert, and others issue SSL/TLS certificates through intermediaries. This practice ensures that the CA’s root certificates remain secure.
  • Private PKI Systems: Enterprises with internal Public Key Infrastructures (PKIs) use intermediate certificates to manage trust within their organization. They may issue intermediate certificates for different departments or applications, each responsible for signing their end-user certificates.
  • Subordinate CAs: Large organizations may be issued intermediate certificates from a primary CA. These organizations can act as subordinate CAs, issuing certs for specific domains or services.

Intermediate CA Certificate in Action

Imagine an online store using SSL/TLS to secure transactions. Here’s how intermediate certificates work:

  1. Root CA: Issues intermediate certificates to trusted CAs.
  2. Intermediate CA: Signs the SSL certificate for the store’s web server.
  3. End-User Certificate: Installed on the server, encrypts data between the server and users.
  4. Verification: Users’ browsers trace the SSL certificate back through the intermediate certificate to the root certificate, confirming the connection security.

Bottom Line

In summary, intermediate certificates keep a secure and verifiable certification path in SSL/TLS encryption. They ensure that digital certificates securing web communications are reliable and trustworthy. Understanding their role will help you manage and secure your digital environment, whether you’re an IT professional, web developer, or just starting in cybersecurity.

Save 10% on SSL Certificates when ordering today!

Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10

Written by

Experienced content writer specializing in SSL Certificates. Transforming intricate cybersecurity topics into clear, engaging content. Contribute to improving digital security through impactful narratives.