Understanding SSL Certificates with Root & Intermediates

Let us discuss some of the SSL terminology used during SSL certificate configuration in servers. Most of the IT people are well aware of some cryptography terms like PKI(Public Key Infrastructure), SSL certificate, Private, Public keys and Certificate Authority(CA) but many times people get confused when people talk about next-level technical terms around it.

Whenever we get a request to renew the SSL certificate there is always confusion around Intermediate Certificate, Root Certificate, Customer Signing Request, etc. Even I saw many people don’t have the right understanding of the type of SSL certificate that they should request from CA. CA acts as a trusted third party between server and client.

Let us first list those terms on which we will try to give clarity:

  1. Trusted Store
  2. Root CA(Certificate Authority)/Issuer
  3. Root Certificate(a.k.a. Trusted root)
  4. Intermediate CA/Subsidiary CA
  5. Intermediate Certificate
  6. Certificate Chain
  7. Leef Certificate/Final Customer SSL Certificate
  8. Customer Signing Request(CSR)
  9. Digital Signing Signature

Second, there is some confusion around which type of certificate you should request from CA so here we are listing types of certificates that we should keep in mind while requesting a new cert:

1. Standard SSL Certificate
2. Wildcard Certificate
3. SAN Certificate(Subject Alternate Names) a.k.a. Unified Communication Certificate
4. Restricted SSL Certificates
5. All the above certificates with additional features like EV(Extended Verification)
, DV(Domain Validation), OV(Organization Validation)Pro Site Service and some Premium features and these terminologies are totally dependent on one CA to another CA.

I am keeping a reference of related blogs that you can use to read further to stitch things together as I will be only providing a small description about it as otherwise it will stretch this blog. Reference SAN vs Wildcard SSL Cert and Root & Intermediates. To read more in-depth about how technically all such things are working behind the scene for encryption and decryption in PKI is available on another interesting blog.

Let us first stitch things on terminology while issuing or renewing new SSL cert:

1. Trusted Store: A root store is a collection of pre-downloaded root certificates (and their public keys) that live on the device itself. Generally, the device will use whatever root store is native to its OS, otherwise, it might use a third-party root store via an app like a web browser.

There are several major root programs of note by big players:


2. Root CA(Certificate Authority)/Issuer: Root CA is among top-level CA that signs and further authorize intermediate CA’s.There are limited Root CA’s conducting business due to stringent policy around it and you have to be in the market for a longer period of time before applying for the Root CA position.
3. Root Certificate(a.k.a. Trusted root): A root certificate is a special kind of X.509 digital certificate that can be used to issue other certificates. A root certificate is invaluable because any certificate signed with its private key will be automatically trusted by the browsers. Root Certificate has longer life span > 20 or 30 years.
4. Intermediate CA/Subsidiary CA: Certificate Authorities do not issue server/leaf certificates (end-user SSL certificates) directly of their roots so they grant this authority to Intermediate or Subsidiary CA’s that further creates leaf certificates. Intermediate CA is an independent business entity.
5. Intermediate Certificate:
An intermediate certificate is a subsidiary certificate issued by the trusted root specifically to issue end-entity(leaf) server certificates.

6. Certificate Chain: These links, from root to intermediate to leaf – are the certificate chain. You will find multiple certificates in a single certificate file.
7. Leaf Certificate/Final Customer SSL Certificate:
This is the actual certificate file that customers use to configure on servers. It is generated as per your CSR to CA.
8. Customer Signing Request(CSR): It is a request in which you input details about the certificate and its type that you would like to request from CA including Country, Organization, Wildcard or SAN Canonical Names(CN) Company, Email ID, Pass Phrase, etc. You handover this CSR file to CA for your certification request and CA uses it to create an SSL certificate for you.

9. Digital Signing Signature: Digital Signature is used to verify the authenticity of the certificate/content. Read more details on What is a Digital Signature?

difference between root and intermediate certificate
Hierarchy of Root/Intermediate/SSL Leaf Certificate

Let us move to types of certificate:

1. Standard SSL Certificate: It is a type of certificate in which you mention only get an SSL certificate for a single URL. For example www.example.com
2. Wildcard Certificate:
It is a type of certificate in which you can request a certificate for a complete subdomain. For example: *.example.com
3. SAN Certificate(Subject Alternate Names) a.k.a. Unified Communication Certificate:
It is a type of certificate in which you can request a certificate for multiple subdomains. For example www.example.org, www.example.com,www.anotherexample.net, etc.
4. Restricted SSL Certificates: It is an alternative to a SAN certificate but with a specific number of URLs. For example, only 4 domains can be listed in the request.
5. All the above certificates with additional EV(Extended Verification), Pro Site Service and some Premium features and these terminologies are totally dependent on one CA to another CA: Most of the CA provides some extra features to gain more profit by providing some extended services on requested certs. For example, you will see the secure Seal of company name in the browser URL field, etc.

Wildcard vs SAN SSL

Please find a reference list of top 5 vendors or CA with their feature and good and bad thing about them and some of them even providing you free certificates that can help to meet your SSL requirements for your secure(https) website.

Some easy to use OpenSSL command to create a new private key, CSR request and SSL certificate.Ref Most common openssl commands:

Create Private Key, CSR and SSL Certificate in simple 2 steps:
#openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key
#openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt

Verify Private Key, CSR and SSL Certificate:
#openssl rsa -in privateKey.key -check
#openssl req -text -noout -verify -in CSR.csr
#openssl x509 -in certificate.crt -text -noout

Some useful links that might be handy during cert verification and I am quoting Digicert(Symantec) details here but there are other CA’s as well like Godaddy, Comodo, etc.

DigiCert Intermediate Certs

Check CSR on DigiCert Website

In the era of cloud, even you need not pay for SSL certificates as most of the big cloud vendors are providing these certificates free of cost as part of their cloud service portfolio. For example, AWS provides AWS Certificate Manager Service.

Let us conclude this blog as we have talked on terminologies, types of SSL certificates, related blogs and about how to create new certs using OpenSSL and will be writing more related topics around it under security labeled blogs.