If you are applying for an SSL certificate, or if you are just starting to create your own website, you may by now have come across these terms: root certificates, intermediate certificates and SSL certificates. "What ARE all those? And what do they do?" You may be wondering.
Not many people know much about SSL, except for the fact that a website is required to install it. It's even more confusing when they hear root certificates and intermediate certificates. And really, it's not easy to explain these concepts in just one sentence, especially to someone who has no knowledge about it. But we will take this challenge and try to cover the basics for you!

In this article, we will explain them in detail and try to be as clear and straightforward as possible. This article is recommended to all website owners and those who are interested and eager to learn.

The Certificate Chain

The certificate issuing process actually consists of several major parts. The aforementioned root certificates, intermediate certificates and SSL certificates will be used along the process. Together they're called the certificate chain or the chain of trust.
The chain of trust offers a secure method to identify an organization. If you apply for an SSL certificate, you may notice that the CA sends your SSL certificate to you along with an intermediate certificate. The SSL certificate is signed by the intermediate certificate, and the intermediate certificate is signed by the root certificate issued by a trusted CA. Each chain of trust begins with a root certificate, and all the certificates on this chain must be able to link back to the trusted root. If the verifying process of one certificate cannot reach the final certificate, then this chain will be considered broken and the connection will be terminated.

This is a very straightforward description of how the chain of trust forms. Next, we'll discuss in detail how the root certificate and the intermediate certificate work and how they help to ensure a secure connection.

What Is the Root Certificate?

Unlike the SSL certificate that needs to be obtained proactively, the root certificate and the intermediate certificate usually work without our notice. A root certificate can be said as the most important certificate in the chain of trust, as all the validation will trace back to it. Its name tells it all: It's the root. Everything has to come from here.

Devices and browsers store all the pre-downloaded certificate in a place called the "root store". The root certificate can be used to sign other certificates. Certificates issued off and signed by the root certificates will become instantly trusted by the browsers. Therefore, there are highly strict guidelines and requirements for the CAs (certification authorities) that issue the root certificates. When a CA is trusted to issue its own root certificate, it will add its root certificates and corresponding public keys to the root store.
The validity period of the root certificate is so much longer than other certificates. While the intermediate certificate has no more than 2 years of validity, the root certificate can be valid for as long as 25 years.

The root certificate is indispensable and of great significance. It can cause great trouble if one gets compromised. Follow the steps below to view the root certificates on Windows.

1. First you need to open the Microsoft Management Console by pressing the "Windows" button and typing "MMC" in the search box.
2. Select "File" --> "Add/Remove Snap-In"
3. Select the "Certificates" snap-in and click on "Add"
4. A window will pop up. Choose "Computer account" --> "Next" --> "Local computer" --> "Finish"
5. Now in MMC, you should be able to see an arrow icon beside "Certificates (Local computer)", click on that arrow to reveal the certificate store.
6. From there, you should be able to see the "Trusted Root Certification Authorities" folder and all the root certificates.

What Is the Intermediate Certificate and Why Is It Used?

So, what does the intermediate certificate do in this chain of trust? Considering the value and importance of the root certificate, the CAs think it risky to issue an SSL certificate DIRECTLY from a root certificate. Thus, to add another layer of security, the root certificates are used to sign the intermediate certificate which then will be used to sign the end-user certificates.

The intermediate certificate helps to reduce security risks and controls the number of root certificates issued. The intermediate certificates not only form another layer of security, but they are also more manageable if security incidents happen. In case of such a situation, only the intermediate certificates will need to be revoked instead of all the root certificates associated. To be more precisely, only the certificates that are on the same chain will be are affected and revoked. Also, if an operating system or a browser decides not to trust a root anymore, it just removes it from the root store. Then the certificates that are supposed to chain back to that root would fail and be distrusted. In this way, the cost and effect of security incidents can be well controlled and minimized.
For the same reason, there won't be too many root CAs as it can be difficult to manage all of them and could lead to secure issues. Sectigo, DigiCert, GlobalSign and Entrust are among the most popular root CAs. New CAs will undergo a series of procedures and approvals to become qualified and trusted root CAs. And before that, they'll need the help of already established CAs in order to link their certificates to the valid root certificates. And when they are qualified to issue their own root certificates, they will add their roots in the root store and replace the previous certificates with their own.

The Difference Between the Root Certificate and the Intermediate Certificate

From the above, we can conclude the following differences between the root certificate and the intermediate certificate. They are also the main points you can take away from this article.

1. Root certificates, which are stored in the root store. They can be used to issue intermediate certificates.
2. Different from intermediate certificates, root certificates are issued to and issued by the same CA.
3. The valid lifespan of the root certificate is so much longer than other certificates. The intermediate certificate will always expire before the root certificate.
4. An intermediate certificate needs to be chained back to a root certificate, otherwise it will be considered invalid.
5. The intermediate certificate is highly dependent on the root certificate. If a root certificate is problematic, the intermediate certificate issued by it will be dropped too.

The chain of trust is actually a very complex process, and the chain once one part is absent or invalid. This article has covered the basics of both root certificates and intermediate certificates, as well as their respective roles in providing authentication and secure connection. If you are looking to remove a root certificate, please refer to our article "How to Remove a Root Certificate?"