While the root certificate in itself is sufficient to implement the SSL security, in practice, most CAs make use of intermediate certificates. This is because of the practicalities involved in attaining the essential qualifications required to issue a CA.
In most general cases, a CA starts with issuing cross-certificates. These digital certificates are issued by one CA that links to a public key of a root certificate issued by another well-established CA.
A beginner certifying authority just starting its operations may not have the necessary qualifications to issue a root certificate yet. Hence, it will use another well-established CA’s services and link its certificates to a valid root certificate, thus forming the chain of trust. A single trusted root certificate will be linked to multiple other intermediate certificates with cross-certificates, thus allowing the users to get a valid trust chain for their SSL implementation.
Once the CA gets the necessary validation and is deemed trustworthy to issue its own root certificates, it will replace the trust anchor with its own root certificates. And the corresponding roots will be added to the root store.
Thus intermediate certificates serve to bridge the gap between an intermediate CA and a trusted root certificate. They are used to let growing CA companies find their footing and help establish a consumer base. Upon proper validation, they will issue their own root certificates completing the trust chain without another CA’s help.
Some more reasons why intermediate certificates are used are listed down below
- Intermediate certificates help control the number of root certificates in use and help mitigate security risks and fraud. As more and more users implement SSL sites, the number of root CAs will also increase. But having too many root CAs can lead to serious security implications, which intermediate certificates aim to resolve. They provide a means for the root CAs to delegate some of the certificate issuing responsibilities to intermediate CAs, providing intermediate certificates that will substitute for a root certificate.
- Intermediate certificates can be replicated in high numbers without compromising the security framework and helping establish the Chain of trust.
- They help with the scalable implementation of the SSL network.
Almost all trusted CAs use intermediate certificates as it adds an additional layer of security and helps manage security incidents gracefully. In case of a security attack, only the intermediate certificate needs to be revoked instead of revoking the root certificate and all of its associated certificate that it has been used to sign.
By revoking just the intermediate certificate in question, only the group of certificates that are in the same chain as the intermediate certificate will be affected, thus minimizing the cost and impact of the security incident.