Root, intermediate and SSL certificates — oh, my! These are terms you may have heard while browsing online. But what is a root certificate, and how does it differ from other digital certificates?

You probably don’t consciously think about data integrity, privacy protection and end-entity authentication when browsing the internet. But even when you’re not thinking about online security, root certificates and the SSL system are. 

When it comes to internet safety, Panda Dome by Panda Security helps you purposefully protect your privacy, while root certificates continuously verify digital certificates and keep you protected across the web.

What Is a Root Certificate?

A root certificate is a digital certificate that can be used to issue other certificates in the TLS/SSL system. These certificates are issued by a verified certificate authority (CA), which is the only trusted entity with the ability to issue authentic SSL certificates.

Sometimes referred to as a trusted root, root certificates are at the heart of the trust model used to secure the public key infrastructure. They use private keys — similar to encrypted passwords — to sign certificates. This signature notifies browsers that a certificate can be trusted, which eliminates the need for multiple rounds of authentication.

These certificates are also kept in root stores across devices. Each root store contains multiple pre-downloaded certificates, which then sign off on and run root programs on multiple devices and browsers.

Root certificate image illustrated how a root certificate works.

Chained Roots vs. Single Roots

Root certificates can be separated into two types of roots:

  • Chained roots: root certificates included in a certificate chain
  • Single roots: root certificates not included in a certificate chain

These trusted roots have various differences, including:

  • How they are installed
  • Their certification stability
  • When and how they expire
  • What type of signature they receive

Both types of trusted roots are able to sign and issue other digital certificates, but chained roots use intermediate certificates to sign end entities.

Chained Root CertificatesSingle Root Certificates
InstallationManual installationAutomatic installation
StabilityLess stableMore stable
ExpirationTrust can be lost twice — when either the chained or root certificate expiresTrust can be lost once — when root certificate expires
SignatureSigned by an intermediate certificateSigned by the root certificate of a CA

What Is an Intermediate Certificate?

Intermediate certificates are digital certificates that often act as the middleman between root certificates and end-entity certificates. Many CAs have begun allowing intermediate certificates to verify and authenticate requests before connecting them to a root certificate. 

The CA will sign an intermediate certificate with a private key, passing along its trust. After an intermediate certificate receives a CA’s trust, it can use its own private key to sign an end-entity certificate. During this process, there can be more than one intermediate certificate placed between a trusted root and its end entity.

Root certificate signs the intermediate certificate which signs the end-entity certificate.

What Are Certificate Chains?

Certificate chains are the links between a trusted root certificate and its end entity. Root certificates, intermediate certificates and end entities can all be part of a certificate chain.

 Additionally, a certificate chain includes:

  • CA issuer details
  • Current and next certificate issuers and subjects
  • Certificate signatures
  • A last certificate — known as a trust anchor

The certificate chain is enabled when a browser attempts to authenticate a certificate’s validity, which happens when users land on a webpage. The chain then follows a series of steps:

  1. A certificate signing request (CSR) is generated.
  2. The root certificate produces a private key.   
  3. The CSR is sent to the CA.
  4. The CA uses the private key to sign an SSL certificate.
  5. The browser verifies certificate’s trustworthiness based on the root signature.

If an intermediate certificate is necessary, it will be signed by the root certificate first before it is able to sign an SSL certificate. This trust model is designed to help browsers identify safe, trustworthy sites for users, and if a browser is unable to identify the trusted root of a chain, it will not trust the certificate.

Complete and incomplete certificate chains.

Root and Intermediate Certificates: The Difference

Both root and intermediate certificates help browsers reach the same goal: verify and trust certificates. However, these certificate types have a few major differences.


Root and intermediate certificates have different values within the certificate chain. Because they work as intermediaries, intermediate certificates are valued less in the trust chain. Root certificates — which are automatically trusted by browsers — are higher-value items. 


Both root and intermediate certificates can issue SSL certificates. However, intermediate certificates must have a CA certificate signature to sign end entities, while root certificates are automatically able to issue other digital certificates.


When it comes to root certificates, they are self-signed — the “Issued to” and “Issued by” fields are identical. Intermediate certificates are cross-signed, meaning they have different issuers and users.

Certification Path

Root certificates appear at the top of a trust model’s certification path. They can sign and issue certificates — no middleman needed. If CAs sign intermediate certificates, they appear after root certificates in the certification path, and multiple intermediaries may be included in a single path.


To sign intermediaries, root certificates use private keys. These keys are more secure than the single keys intermediate certificates use to sign other certificates, including end-point certificates.


If an intermediate certificate is damaged, it is no longer usable and will need to be removed to prevent further harm. However, damage to a root certificate is substantially more dangerous because it can grant hackers access to an entire system — these certificates should be kept offline to lower this possibility.


Both root and intermediate certificates have validation and expiration periods, but each is different. A root certificate’s validation period can last up to 10 or 20 years, while an intermediary’s expiration date is restricted to one or two years.

The seven differences between root and intermediate certifictes.

Root Certificate FAQ

We provide answers to a few common root certificate questions below.

What Does a Root Certificate Do?

Root certificates verify that software and website users are who they say they are. Trusted roots are crucial to the digital authentication process and online security.

Where Can I Find the Root Certificate?

Finding the root certificate depends on which browser you are using, but there are a few general steps. 

  1. Click the lock icon next to the URL in your browser.
  2. Select Connection is secure.
  3. Choose Certificate is valid.
  4. In the pop-up box, verify the issuer, validity period, and type of certificate in both the general and details tabs.

Is a Root Certificate Necessary?

A root certificate is necessary because it is used to verify the authenticity of other intermediate and end-entity certificates. Without a root certificate, a system is left either unprotected or unusable.

By answering “What is a root certificate?” and determining the differences between trusted roots and intermediate certificates, you can understand how browsers verify actions and requests. While these certificates can keep your information secure, premium protection services offer a variety of additional online safety features for you and your family.

Sources: AppViewX | Secure128 |