Intermediate Certificate
A certificate that sits between the root and end-entity certificates
An Intermediate Certificate serves as a bridge between the root certificate and end-entity certificates in the PKI hierarchy. Intermediate certificates are issued and signed by root CAs but are used for the actual issuance of server certificates, client certificates, and other end-entity certificates. This structure protects the root certificate's private key by keeping it offline and using intermediate certificates for operational certificate issuance.
If an intermediate certificate's private key is compromised, the CA can revoke it and issue a new intermediate without affecting the trusted root certificate. Intermediate certificates have shorter validity periods than roots (typically 5-10 years) and can be specialized for different purposes - some intermediates might be used only for DV certificates, others for OV/EV certificates, and others for code signing certificates. During SSL handshake, servers must present not only their own certificate but also the relevant intermediate certificates to help browsers build the complete certificate chain to a trusted root.
Missing intermediate certificates are a common cause of SSL validation errors, even when the root and end-entity certificates are valid.
Where You'll See This Term
This term commonly appears in:
- SSL certificate details pages
- Certificate Authority validation processes
- SSL configuration documentation
- Security audit reports
- Certificate management interfaces