Intermediate vs Root Certificates
PKI ensures secure digital communication by verifying online entities. Root and intermediate certificates create a trust chain, ensuring information integrity.
Table of Contents
What are the differences between root and intermediate certificates?
Public Key Infrastructure (PKI) is a foundational framework that verifies the authenticity of online entities and ensures the security of digital communication. Digital certificates are at the heart of PKI—different certificates work together to create a hierarchical structure that establishes a chain of trust, ensuring the security and integrity of online information exchange.
Let's examine the roles of root and intermediate certificates, why they're important, their differences, and how they work together to support secure online communication.
Understanding digital certificates
Digital certificates ensure the security and integrity of digital communication using authentication and encryption mechanisms. These cryptographic credentials verify the identity of a user, device, server, website, or organization and bind the identity to a public key. Each certificate contains information about the key, owner's identity, issuing Certificate Authority (CA), and other relevant details.
Certificates are part of a PKI framework of tools, policies, and processes for creating and managing public keys. This framework supports functions such as identity verification, encryption, and digital signature. PKI uses digital certificates to establish a chain of trust:
- A user generates a public key for encryption and a private key for decryption.
- The user sends a Certificate Signing Request (CSR), which contains the user's public key and identity information, to a CA.
- The CA authenticates the user's identity and issues a certificate, signed with its private key.
When you start with the root certificate at the top and establish a hierarchical list of certificates that verify the authenticity of the one below it, you create a chain of trust.
CAs verify the identity of entities requesting certificates and issue certificates by binding public keys to identities. They're also responsible for maintaining the Certificate Revocation List or using the Online Certificate Status Protocol (OCSP) to ensure criminals can't use revoked certificates for malicious purposes.
What is an intermediate certificate?
An intermediate certificate , also know as a Subordinate CA Certificate, sits between the root and end-entity certificate (e.g., SSL/TLS) in the certificate chain. Signed by a higher-level certificate (e.g., the root certificate), it may sign one or more end-user certificates. As PKI management becomes more complex and the risks of fraudulent activities increase, root CAs delegate tasks to intermediate CAs to streamline management and enhance security.
By bridging root certificates with end entities, intermediate certificates create a chain of trust in the PKI. Each entity in the chain verifies the identity of the one below it. The process validates the end-entity certificate based on the trustworthiness of the entire chain. Intermediate certificates are typically valid for 10-15 years, as regular expiration and renewal help maintain the security and effectiveness of the PKI.
The importance of intermediate certificates
With intermediate CAs as part of the trust chain, the root CA doesn't need to use its private key directly to issue end-entity certificates. This structure enhances security because a compromised intermediate CA's private key won't impact the root CA's key, trustworthiness, or ability to issue new certificates. The hierarchy also provides a well-defined, scalable structure for verifying each certificate's authenticity.
Moreover, a revoked intermediate CA won't affect the entire PKI. This supports operational flexibility and allows for granular certificate control and management. A compromised intermediate CA doesn't automatically affect the trustworthiness of all end-entity certificates or the root CA. This compartmentalization helps limit the potential damage of security breaches, enables organizations to isolate and address issues efficiently, and supports a resilient PKI.
What is a root certificate?
A root certificate sits at the top of the certificate hierarchy. It's a self-signed certificate and is the ultimate trust anchor for the entire PKI. The root certificate's public key verifies the digital signatures of intermediate certificates, which, in turn, validate end-entity ones to ensure secure and verifiable digital communication. Root certificates have a lifespan of as high as 25 years and are required to be stored offline in highly secure environments.
The most critical function of a root certificate is establishing trust in the PKI. It's inherently trusted, and its public key is pre-installed or securely distributed to relying parties, such as web browsers or operating systems. A trusted root certificate is a unique X.509 digital certificate for issuing other certificates.
Why are root certificates important?
Root certificates are the foundation of the trust chain in a PKI, providing a starting point for verifying all certificates in the hierarchy and ensuring the authenticity and integrity of each certificate. The CA/B Forum develops standards for certificate issuance and management. This is crucial for maintaining a standardized certificate ecosystem, so users can extend the trust to all certificates signed by the root and its intermediate certificates.
Root certificates and their public keys are pre-installed in popular software like web browsers to ensure they're recognized and trusted by default. Operating systems also store root certificates in their certificate stores (e.g., the Microsoft or Apple root store). They're regularly updated to add new root certificates and remove expired or compromised ones.
Differences between intermediate and root certificates
Root certificates sit at the top of the certificate hierarchy. They're self-signed, have the highest trust level, and don't depend on other authorities to establish trust. Meanwhile, intermediate certificates sit between the root and end-entity certificates.
They're issued and signed by the root certificate and may sign other intermediate or end-entity certificates.
Root certificates are pre-installed in software or securely distributed via certificate stores. Meanwhile, intermediate certificates don't have roots in the trust stores and are typically not pre-installed in systems. Their roots link back to the trusted root CAs that issue them.
The revocation of a root certificate is a significant event and may require widespread updates to numerous software and applications. The impact of revoking an intermediate certificate is more localized, affecting only a specific branch of the certificate chain. Additionally, root CAs are kept offline for security purposes. They only sign intermediate CAs, which, in turn, sign end-user and server certificates.
Root and intermediate certificates share some similarities. They're both essential for establishing a chain of trust in the PKI and contain information like public keys, issuer details, and digital signatures. Both have undergone rigorous verification processes to ensure authenticity, integrity, and compliance with the PKI hierarchy. They work together to ensure the security of the PKI and the trustworthiness of digital communication.
How root and intermediate certificates work together
Root and intermediate certificates work together to form a chain of trust:
- A root CA signs an intermediate certificate to create the first link in the chain of trust.
- The intermediate certificate signs other certificates. Each certificate in the chain verifies the identity of the one below until reaching the end-entity certificate.
- During an SSL/TLS handshake, the web server presents its SSL/TLS certificate to the client (e.g., a browser), which checks the certificate's signature and follows the certification path to the root certificate to verify its legitimacy.
How Sectigo can help
Root and intermediate certificates are essential for securing PKI. They work hand in hand to verify the identity of each certificate in the chain of trust and support robust authentication and encryption mechanisms to bolster cybersecurity and data integrity.
Purchasing your digital certificates from a trusted CA ensures the security of your IT infrastructure, websites, online services, and applications. Sectigo has several trusted Root CA certificates and many intermediate CA Certificates. We also issue end-entity certificates like SSL/TLS certificates so you can handle all certificate purchases in one place. This streamlines certificate management and ensures consistent security policies across the entire certificate hierarchy.
Additionally, our certificates integrate seamlessly with our CA-agnostic Sectigo Certificate Manager to help you simplify and automate Certificate Lifecycle Management and get real-time visibility across all cryptographic assets. Learn more and start a free trial to experience the convenience of "single pane of glass" certificate management.