Root Certificate
The top-level certificate in the trust hierarchy
A Root Certificate is the top-level certificate in the Public Key Infrastructure (PKI) hierarchy and serves as the ultimate trust anchor for all certificates issued by a Certificate Authority. Root certificates are self-signed, meaning they are signed with their own private key, and their trustworthiness is established through their inclusion in browser and operating system trust stores rather than through cryptographic verification. Major browser vendors and OS manufacturers maintain these trust stores and decide which root certificates to include based on rigorous security audits and compliance with industry standards.
Root certificates have very long validity periods (typically 15-30 years) and their private keys are stored in highly secure Hardware Security Modules (HSMs), often in geographically distributed facilities with strict physical and logical access controls. Root CAs typically don't issue end-entity certificates directly; instead, they issue intermediate certificates that are used for day-to-day certificate issuance. This protects the root private key from exposure.
If a root certificate is compromised or distrusted, all certificates in its hierarchy become invalid, making root certificate security paramount.
Where You'll See This Term
This term commonly appears in:
- SSL certificate details pages
- Certificate Authority validation processes
- SSL configuration documentation
- Security audit reports
- Certificate management interfaces