What is an intermediate SSL certificate and how does it fit into the certificate chain?
Typically, when you hear SSL described, the entire concept of certificate chaining is left out, or if it is covered it’s done in a very cursory fashion—no mention of intermediate SSL certificates. Rather, you hear that an SSL Certificate must be issued by a trusted Certificate Authority (CA), and that the aforementioned CA is trusted because its root is pre-loaded into the trust store of most browsers. And that when the browser sees an SSL Certificate has been issued by a trusted root that a secure connection is then established.
And why not stick with that version when you’re teaching SSL? It’s simple. It’s tidy.
It’s also not entirely accurate.
You see, that version also begs several questions. Like, what does it take to become a trusted root? How does a CA get its root included in a trust store? If you follow that explanation to its logical conclusion it would be nearly impossible for anyone to start a new CA given that there is no clear path to gain trusted status and to have your root added to a trust store.
That’s where intermediate SSL certificates come into the picture.
What are Intermediate SSL Certificates?
In order to really delve into what an intermediate SSL certificate is we need to zoom out a little and start with the certificate chain itself. In the example we just looked at, the certificate chain consists of two certificates, the SSL Certificate itself and the trusted root that it was issued from.
As we said, this is clean and neat but typically not the way things work.
The issue is that trusted roots are highly valuable and if they’re ever compromised the ramifications could be absolutely devastating—not just for the CA that owns the root but for the SSL industry itself.
This is why intermediate SSL certificates exist. They both offer new CAs an opportunity to issue their own certificates while still being chained to a trusted root. And it also allows CAs that already own trusted roots to add a much-needed layer of protection between the certificates they’re issuing and their root certificates.
In the case of a new CA, gaining trusted status is a process that takes years. You must start by abiding the standards and regulations set forth by the CA/Browser Forum—a de facto governing body that creates and enforces regulations for Certificate Authorities.
Most new CAs will partner with older, more established CAs that are willing to issue an intermediate certificate from their trusted root. The fledgling CA then issues its customers SSL Certificates from its intermediate certificate. When a browser reaches a website with one of the fledgling CA’s certificates installed, it will follow the certificate chain back to the intermediate certificate and then back to the trusted root, at which point it will establish an encrypted connection.
CAs without a trusted root are sometimes called Intermediate CAs.
For CAs that do have a trusted root, adding an intermediate SSL certificate provides a layer of security. As we discussed, a compromise of a root certificate is costly and dangerous. CAs almost never issue to end users from their root. Rather, they issue intermediate SSL certificates – like the ones that they would issue to an Intermediate CA – and then issue to customers via the intermediate SSL certificate. This way if a compromise occurs it’s easier to just revoke the intermediate than lose a trusted root.
So What Does this All Mean to Me?
In the greater scheme of things? Not much. The certificate chain is something your browser worries about during the process of verifying the authenticity of an SSL Certificate. This is done during the SSL Handshake, an incredibly complex verification/negotiation process that sees your browser confirm the legitimacy of the certificate and then negotiate the terms of an encrypted connection.
The whole process takes just milliseconds and it’s all done behind the scenes.
In terms of how it affects you, as an individual though—the only thing it might change is how much you have to do during the installation process. If you’re tasked with installing your own SSL Certificate, there’s a good chance you may need to download and install the intermediate SSL certificate alongside your actual SSL Certificate. Still, this is a relatively straightforward process that is no more complicated than installing the SSL Certificate itself.
Intermediate SSL Certificates and Certificate Chaining, in general, may not be the sexiest part of the SSL ecosystem – which is why they’re oftentimes left out of the discussion entirely – but they are still an extremely important part of the process nonetheless.
So don’t you go forget about them?