What is the difference between root certificate and intermediate certificate

At first glance, an SSL certificate seems straightforward. They let professionals handle the certificate configuration and renewal. Users without prior experience who prefer to install an SSL certificate by themselves are in for a surprise. All together, they form the SSL chain of trust — an ordered list of certificates that allow the receiver a web browser to verify that the sender your secure server and the CA are reliable. Wait, what? The image below illustrates how the chain of trust functions:.

You can also inspect the SSL chain trust by clicking the padlock of any website and selecting the Certification Path tab. Who decides which CA is trustworthy? In a nutshell, browsers, and applications because all of them include a root store in their installation pack.

A root store is a list of pre-downloaded, trusted root certificates from various CAs. Rather than revoke the root certificate and literally every certificate that it had signed, you just revoke the intermediate, which only causes the group of certificates issued off that intermediate to get distrusted. Related posts. Anastasios Arampatzis is a retired Hellenic Air Force officer with over 20 years of experience in evaluating cybersecurity and managing IT projects. He works as an informatics instructor at AKMI Educational Institute, while his interests include exploring the human side of cybersecurity.

Venafi Cloud manages and protects certificates. Already have an account? Login Here. You shall not access the Service if You are Our competitor or if you are acting as a representative or agent of a competitor, except with Our prior written consent. In addition, You shall not access the Service for purposes of monitoring its availability, performance or functionality, or for any other benchmarking or competitive purposes, and you shall not perform security vulnerability assessments or penetration tests without the express written consent of Venafi.

This Agreement was last updated on April 12, It is effective between You and Venafi as of the date of Your accepting this Agreement. The Venafi Cloud Service includes two separate services that are operated by Venafi as software as a service, each of which is separately licensed pursuant to the terms and conditions of this Agreement and each of which is considered a Service under this Agreement: the Venafi Cloud Risk Assessment Service or the Venafi Cloud for DevOps Service.

Your right to use either Service is dependent on the Service for which You have registered with Venafi to use. This License is effective until terminated as set forth herein or the License Term expires and is not otherwise renewed by the parties. You may terminate this Agreement at any time on written notice to Venafi. Upon any termination or expiration of this Agreement or the License, You agree to cease all use of the Service if the License is not otherwise renewed or reinstated.

Upon termination, Venafi may also enforce any rights provided by law. The provisions of this Agreement that protect the proprietary rights of Venafi will continue in force after termination. This Agreement shall be governed by, and any arbitration hereunder shall apply, the laws of the State of Utah, excluding a its conflicts of laws principles; b the United Nations Convention on Contracts for the International Sale of Goods; c the Convention on the Limitation Period in the International Sale of Goods; and d the Protocol amending the Convention, done at Vienna April 11, This site uses cookies to offer you a better experience.

If you do not want us to use cookies, please update your browser settings accordingly. Find out more on how we use cookies. Read Venafi's TLS protect datasheet to learn how to protect yourself against outages.

Learn More. Venafi in the Cloud. Learn how three enterprises leveraged Venafi to manage their machine identities in the top three public clouds Learn More.

Machine Identities for Dummies. Learn about machine identities and why they are more important than ever to secure across your organization Learn More.

Ecosystem Marketplace Developer Program. Global Machine Identity Management Summit. Join cyber security leaders, practitioners and experts at this on-demand virtual summit. Watch Now. Search free trial contact us. July 28, Guest Blogger: Anastasios Arampatzis. What are Certificate Chains? A certificate chain is a list of certificates usually starting with an end-entity certificate followed by one or more CA certificates usually the last one being a self-signed certificate , with the following properties: The issuer of each certificate except the last one matches the subject of the next certificate in the list.

Each certificate except the last one is supposed to be signed by the secret key corresponding to the next certificate in the chain i.

The last certificate in the list is a trust anchor : a certificate that you trust because it was delivered to you by some trustworthy procedure. A trust anchor is a CA certificate or more precisely, the public verification key of a CA used by a relying party as the starting point for path validation. There are three parts to the chain of trust : Root Certificate. A root certificate is a digital certificate that belongs to the issuing Certificate Authority.

Intermediate Certificate. Intermediate certificates branch off root certificates like branches of trees. They act as middle-men between the protected root certificates and the server certificates issued out to the public. There will always be at least one intermediate certificate in a chain, but there can be more than one.

Server Certificate. The server certificate is the one issued to the specific domain the user is needing coverage for. Like this blog? We think you will love this. Featured Blog Authentication vs.

Subscribe to our Weekly Blog Updates! Join thousands of other security professionals Get top blogs delivered to your inbox every week Thank you for subscribing. You might also like. About the author. Cyberespionage in Southeast Asia and elsewhere. Zero-day markets. REvil's unexplained occultation. Also, in Windows OS, separate tabs are kept, such as Trusted Root certificate authorities and intermediate certificate authorities which can be found in an account console of local computer like below:.

Also, these SSL Certificate Authorities like Comodo make use of the intermediate certificate for further installing the intermediate certificate for once. Root certificates are the Certificate Authority who owns one or more trusted roots, which are further stored on all the major web browsers. Related Articles:. What is Certificate Authority CA?

Compare Best SSLs. SSL Installation Guide. Fix SSL Errors. SSL Coupons.