Intermediate Certificate

A certificate that sits between the root and end-entity certificates

PKI Infrastructure

An Intermediate Certificate serves as a bridge between the root certificate and end-entity certificates in the PKI hierarchy. Intermediate certificates are issued and signed by root CAs but are used for the actual issuance of server certificates, client certificates, and other end-entity certificates. This structure protects the root certificate's private key by keeping it offline and using intermediate certificates for operational certificate issuance.

If an intermediate certificate's private key is compromised, the CA can revoke it and issue a new intermediate without affecting the trusted root certificate. Intermediate certificates have shorter validity periods than roots (typically 5-10 years) and can be specialized for different purposes - some intermediates might be used only for DV certificates, others for OV/EV certificates, and others for code signing certificates. During SSL handshake, servers must present not only their own certificate but also the relevant intermediate certificates to help browsers build the complete certificate chain to a trusted root.

Missing intermediate certificates are a common cause of SSL validation errors, even when the root and end-entity certificates are valid.

Where You'll See This Term

This term commonly appears in:

  • SSL certificate details pages
  • Certificate Authority validation processes
  • SSL configuration documentation
  • Security audit reports
  • Certificate management interfaces

Related SSL Terms

Need Help with SSL Certificate Management?

Understanding SSL terminology is just the beginning. Chill SSL helps you monitor and manage your SSL certificates to prevent expiration and security issues.