Root Certificates vs. Intermediate Certificates: Difference to Know

1 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 5 (1 votes, average: 5.00 out of 5, rated)
Root Vs Intermediate Certificate

The phrases “root certificates” and “intermediate certificates” will probably come up while you seek an SSL certificate for your website. People could confuse the two words.

The primary distinction between intermediate and root certificates is foremost, their origins. The primary source for the root certificate authority is the trust stores of the major browsers.

However, since they do not have roots in browser trust stores, intermediate certificate authorities or sub-certificate authorities provide an intermediate root. Thus, a trust-party root is where intermediate certificate authority originates.

Was this information excess to take in, then? Don’t stress. We will go into extensive detail about everything in this article. But first, let’s review the basic concepts. Let’s dive in.

Working of SSL

Public Key Infrastructure

A public key pair approach is what SSL uses. Only those with an appropriate public key can access the encrypted site content. Visitors receive the public key as a certificate file, which they must use each time they attempt to access a website.

PKIs, or public key infrastructures, are quickly replacing physical security in many businesses because they offer devices, people, and applications operating on a company’s network, both identity and authentication.

A machine, the customer, or software that would like to use a company’s network issues a Certificate Signing Request (CSR), which includes the user’s public key and the data required to issue a certificate for them. This is how a PKI works.

Recommended: How Public Key Infrastructure (PKI) Works to Keep Your Data Secure?

If the website’s certificate is invalid, it indicates that it has not undergone enough verification and might be dangerous. A website can choose from several certification levels, each with different validation procedures and degrees of trust.

After carrying out their due investigation to ascertain the validity of the website requesting an SSL certificate, authorized certifying authorities provide certificates. Additionally, every certificate has an expiration date, beyond which it is deemed invalid and needs to be renewed to maintain the SSL security features.

SSL serves as a means for users to verify if a certifying authority has approved the website they are attempting to access and is accurate. Besides the crisis of data breaches and vulnerabilities in security, SSL is required for encryption for it to work.

Digital Signatures

Advanced electronic signatures, or digital signatures, need the use of a key or certificate to authenticate the signer’s identity. Consider these as digital certifications about SSL.

A root certificate digitally signs an intermediate certificate and transfers some of its trust to the intermediate SSL, as the SSL chain of trust graphic illustrates. The latter is presumed authentic by default, as the signature originates from the root.

A browser authenticates the server (the customer) certificate and validates digital signatures using the public key. Until the last root certificate is pre-installed in the browser root store, it verifies each certificate in the SSL chain of trust. The browser won’t accept your SSL certificate if it can recognize every chain certificate.

What Is the SSL Chain of Trust?

It doesn’t matter if you refer to it as The Certificate Chain or the Chain of Trust—both express the same idea. This chain consists of an SSL certificate and a collection of CA certificates that the website owners purchased. 

Its validity and reliability guarantee both the certificate’s sender and recipient.

Numerous security-related services that ensure the correct usage of public/private key pairs make up the public or certificate issuance process. A chain of certificates will be utilized throughout the procedure, which the final user might not access.

Recommended: What is SSL Certificate Chain in PKI and How Does It Work?

Every certificate chain consists of a list of certificates, including a self-signed certificate, one or more CA (certifying authority) certificates, and the final end-user certificate.

The following Features are present in Every Certificate:

Information about the Certificate’s Issuer. Except for the final certificate in the chain, this value will match the topic of the subsequent certificate.

Every certificate in the chain will be signed using a secret key belonging to the subsequent certificate. Yet again, this secret key signing mechanism is optional for the last certificate in the chain.

As was already explained, the last certificate in a certificate chain differs from the others. It is termed the trust anchor and is always given by a trustable organization, such as a competent certifying authority (CA). It is commonly referred to as the CA certificate. As the trust anchors in a certificate chain, these root certificates can only be issued by a certified and highly trusted certifying authority.

The AA root certificate is legitimate, but the certificate chain cannot connect. In that instance, it will be regarded as invalid, and the end-user application will not see the associated website coming from a reliable source.

The Characteristics are:

  • Issuer information, or the CA who issued the certificate, makes up the chain.
  • The certificates are signed by utilizing a secret key that matches the certificate in the hierarchy.
  • The last certificate, or trust anchor, is the CA certificate, which can be trusted from a reputable source.

What is Certificate Hierarchy?

The certificate hierarchy could be obtained, and more information is shown when you save the certificate of a recently found website that you are attempting to connect to. The first certificate you keep is considered the root certificate; next comes the intermediate CAs, and finally, the final certificate should lead to an authentic CA.

What Precisely a Root SSL Certificate is?

The root certificate is one of the certificates given by a reliable Certificate Authority (CA), like Certera or Sectigo, also known as a trusted root. However, it is a unique kind of X.509 digital certificate used to issue intermediate certificates and additional end-user SSL certificates to reduce the possibility of a security breach.

Additionally, the root certificates have a far more extended validity than the end-user or leaf SSL certificates deployed on the website.

Public Key Infrastructure is based on root SSL certificates at the top of the trust hierarchy.

A list of dependable root certificates that have been pre-downloaded from several CAs is called a root store. For example, Chrome will mark the website employing the CA as insecure if the CA root certificate isn’t included in Google’s root store.

Additionally, every CA possesses several root certificates.

Recommended: What Is a Root CA Certificate, and Where Can I Use It?

Other certificates are issued using a root certificate. Cybercriminals would manufacture their reliable certificates to obtain the secret root keys. Therefore, all the current certificates the compromised CA has signed would need to be revoked. The CA quickly disappears from all root stores and is deleted if there is any issue with the root certificate.

Intermediate Certificate

Between the server (endpoint) certificates and the protected root certificates, these certificates act as intermediaries. One intermediate certificate must be in the chain; however, more than one can be provided.

It is hazardous and unfeasible to issue SSL/TLS certificates to end users straight from the root certificate, which might result in fraud and administration issues. So, CAs provide an additional layer of protection called an intermediate certificate to address these issues.

Recommended: What Is Intermediate Certificate And How To Download It?

Additionally, between the root certificate and an end-entity SSL/TLS certificate, these intermediate certificates act as a “Chain of Trust.” Also, Windows OS maintains discrete tabs for Trusted Root and Intermediate certificate authorities, which reside in the local computer’s account interface.

Although their duration is less than a root certificate, intermediate certificates are more durable than end-user SSL certificates.

Root Certificates vs. Intermediate Certificates – What’s the Difference

For generating and authenticating digital certificates, the Public Key Infrastructure (PKI) relies on both root certificates and intermediate certificates. However, there are a few noticeable differences between them.

Brief Outline

The root certificates, saved on all browsers worldwide, are CAs with trustworthy roots.

Intermediate roots are provided by the CAs that issue the intermediate certificates. They are connected to third-party roots but do not utilize browser storage.


The root certificate in the PKI’s trust hierarchy is a self-signed digital certificate. Building confidence in a digital certificate is achieved by confirming that a trustworthy entity issued it.

A digital certificate that a root certificate can issue is called an intermediate certificate. It acts as a bridge between the end user’s certificate and the root certificate.

Significance in the Trust Chain

The root certificate is considered notable and has a higher value in the chain of trust than an intermediate certificate.

The intermediate certificate has little significance in the trust chain. It acts as an intermediary.

Certificate Issuance

 Root certificates prevent direct SSL certificate issuance by the CA. They employ intermediate certificates to sign the endpoint (SSL) certificates to prevent breaches.

The intermediate certificate serves as a mediator by signing the intermediate certificates, protecting the root certificate, and granting SSL certificates.


Root certificates rarely expire and are used for extended periods.

Intermediate certificates frequently have a lower validity period than root certificates.

Damage in an Emergency

Since the hacker has access to the whole PKI and may undermine trust along the chain hierarchy, manipulating the root certificate might result in catastrophic consequences. Because of this, it’s best to limit its limitations by keeping this certificate offline.

The intermediate certificate loses its use if it has been altered. The sole choice is to eliminate the same and the other intermediates to stop more harm.


Root certificates don’t have to be renewed if a certificate is revoked for whatever reason.

In an emergency, intermediate certifications will be revoked to prevent disaster.


The Root Store has access to the root certificate.

The Private Key is used to access the intermediate certificate.

Final thoughts

As you noticed, Root and Intermediate Certificates are significantly different despite having the same purposes.

Understanding these technical details and managing these security certifications is a challenging task. After reading this article, you can understand that regardless of their similarities, these certifications nonetheless differ significantly.

Because Root Certificates are tightly guarded for security, they are never seen by end users and are kept offline. Conversely, the intermediate certificate is maintained on the internet for signatures and the issuing of endpoint and further intermediate certificates.

By now, you should completely grasp what exactly makes a digital certificate secure. You have effectively dealt with the SSL/TLS dilemma by comprehending the difference between root and intermediate certificates. One of the leading causes of the effectiveness and widespread use of SSL certificates is the SSL chain of trust.

Frequently Asked Questions

How can the Root Certificate and Intermediate Certificate be distinguished?

You can distinguish between an intermediate and a root certificate by reviewing the certificate. If the Issued to and issued by fields match, the certificate is a root; otherwise, it is an intermediate. Reputable roots may only be issued by authorized certificate authorities.

How do Intermediate and Root Certificates Appear in the Hierarchy?

The root, intermediate, and server certificates should be in the proper sequence in an SSL certificate chain.

What is the Process for Combining Intermediate and Root CA Certificates?

You only need to aggregate the ASCII data from each PEM certificate into a single file to integrate multiple certificates.

Janki Mehta

Janki Mehta

Janki Mehta is a Cyber-Security Enthusiast who constantly updates herself with new advancements in the Web/Cyber Security niche. Along with theoretical knowledge, she also implements her practical expertise in day-to-day tasks and helps others to protect themselves from threats.