One of the most oft-misunderstood parts of SSL/TLS certificates is the intermediate certificate. Many website owners receive a RapidSSL intermediate certificate bundled with their RapidSSL SSL/TLS certificate and have no idea what to do with it.

We get questions all the time about what they are, what they do and whether they need to be installed. On some rare occasions, the site owner accidentally installs the RapidSSL intermediate instead of the leaf SSL/TLS certificate and causes a massive nuclear reaction that blows apart the server the site is hosted on and craters several city blocks. You may have seen this in the news, the official story they give is it was a fireworks factory explosion. But trust us, they installed the RapidSSL intermediate instead of the leaf.

You’re supposed to install both certificates. That’s why we’ve written this article to explain what an intermediate is and why you should be installing both. Then we’ll give you a place to download the RapidSSL intermediate certificate.

What is a RapidSSL Intermediate Certificate?

The most straightforward answer is that a RapidSSL intermediate certificate is an intermediate certificate that’s bundled with RapidSSL SL/TLS certificates. However, to provide clarification, we first need to start a level above (or below? Roots are usually below) at the root certificate authority (CA) certificates. These are the certificates administered directly by the CA organizations that validate and issue digital certificates. The root CA certificate is a special kind of digital certificate with a longer lifespan and a private key that can make trusted signatures, or put another way, anything the root CA signs is trusted.

Obviously, this is quite a powerful certificate. So, to insulate themselves, the CAs typically spin up an intermediate root and use those to sign with in lieu of using the roots directly. Intermediate roots are similar to true roots in that they can sign certificates and those certificates become trusted.

The reason for this is the certificate chain. When a client is presented with a leaf SSL/TLS certificate, it checks who signed it. Then it goes up a level to that certificate, the one that signed it, and sees who signed that one. It will continue following signatures until it can follow the chain back to one of its trusted root certificates. If it can’t it issues an error.

Now, the root certificates are parts of a root or trust store. These are administered by:

• Apple
• Google
• Microsoft
• Mozilla

The issue is that the intermediates don’t live on the client’s system. So, when a client is presented with a leaf certificate, if the intermediate that signed it isn’t available, it can’t complete the chain and issues an error. Some browsers cache intermediates, but you don’t want to count on this.

So, that’s why you need to install the intermediate certificate. The RapidSSL intermediate certificate is one such intermediate and it comes bundled with all RapidSSL certificates. Hence why some people call it a RapidSSL intermediate certificate.

But we get the sense you might have lost it, or maybe just misplaced it, so we’ve provided a way below for you to access the RapidSSL intermediate certificate so you can install it on your server. While installation processes vary from server to server, just follow the same steps you did while installing your leaf SSL certificate. Now, when the server presents the certificate to the client during the handshake, it will present both the leaf and the intermediate. The client will know how to make sense of them, you just need to make sure it sees them both.

Where to Get the RapidSSL Intermediate Certificate

Wondering where you can get or download RapidSSL intermediate certificates? Look no further. Because we like to be helpful — and because we think you’re such a swell person — we’ve decided to make this super easy for you. Simply copy and paste the following code to get your intermediate certificate:

—–BEGIN CERTIFICATE—–
MIIEszCCA5ugAwIBAgIQCyWUIs7ZgSoVoE6ZUooO+jANBgkqhkiG9w0BAQsFADBh
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBH
MjAeFw0xNzExMDIxMjI0MzNaFw0yNzExMDIxMjI0MzNaMGAxCzAJBgNVBAYTAlVT
MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
b20xHzAdBgNVBAMTFlJhcGlkU1NMIFRMUyBSU0EgQ0EgRzEwggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQC/uVklRBI1FuJdUEkFCuDL/I3aJQiaZ6aibRHj
ap/ap9zy1aYNrphe7YcaNwMoPsZvXDR+hNJOo9gbgOYVTPq8gXc84I75YKOHiVA4
NrJJQZ6p2sJQyqx60HkEIjzIN+1LQLfXTlpuznToOa1hyTD0yyitFyOYwURM+/CI
8FNFMpBhw22hpeAQkOOLmsqT5QZJYeik7qlvn8gfD+XdDnk3kkuuu0eG+vuyrSGr
5uX5LRhFWlv1zFQDch/EKmd163m6z/ycx/qLa9zyvILc7cQpb+k7TLra9WE17YPS
n9ANjG+ECo9PDW3N9lwhKQCNvw1gGoguyCQu7HE7BnW8eSSFAgMBAAGjggFmMIIB
YjAdBgNVHQ4EFgQUDNtsgkkPSmcKuBTuesRIUojrVjgwHwYDVR0jBBgwFoAUTiJU
IBiV5uNu5g/6+rkS7QYXjzkwDgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQGCCsG
AQUFBwMBBggrBgEFBQcDAjASBgNVHRMBAf8ECDAGAQH/AgEAMDQGCCsGAQUFBwEB
BCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMEIGA1Ud
HwQ7MDkwN6A1oDOGMWh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEds
b2JhbFJvb3RHMi5jcmwwYwYDVR0gBFwwWjA3BglghkgBhv1sAQEwKjAoBggrBgEF
BQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzALBglghkgBhv1sAQIw
CAYGZ4EMAQIBMAgGBmeBDAECAjANBgkqhkiG9w0BAQsFAAOCAQEAGUSlOb4K3Wtm
SlbmE50UYBHXM0SKXPqHMzk6XQUpCheF/4qU8aOhajsyRQFDV1ih/uPIg7YHRtFi
CTq4G+zb43X1T77nJgSOI9pq/TqCwtukZ7u9VLL3JAq3Wdy2moKLvvC8tVmRzkAe
0xQCkRKIjbBG80MSyDX/R4uYgj6ZiNT/Zg6GI6RofgqgpDdssLc0XIRQEotxIZcK
zP3pGJ9FCbMHmMLLyuBd+uCWvVcF2ogYAawufChS/PT61D9rqzPRS5I2uqa3tmIT
44JhJgWhBnFMb7AGQkvNq9KNS9dd3GWc17H/dXa1enoxzWjE0hBdFjxPhUb0W3wi
8o34/m8Fxw==