Chain of certificates: root, intermediate

Lecture



A certificate authority provides not just a certificate — in fact, this is a chain of certificates (CA Bundle), each link of which works to increase end-user trust.
Each authoritative certificate authority provides its own root certificate. In most cases, it is already "sewn" in browsers - this applies to Comodo, GeoTrust, Thawte and VeriSign, presented on our website. By itself, the certificate for your domain will not be considered trusted in the browser. It must be linked to the certificate authority's root certificate using one or more intermediate ones. In this chain, each certificate is trusted and signed by a higher-level certificate. For each type of certificate has its own intermediate elements, the sequence of which is indicated below. You can download the root and intermediate certificate (s) on the sites of the centers themselves.

Comodo
Root (Root) and intermediate (Intermediate) certificates are sent in one file along with the main certificate. Depending on the type of certificate, the chain looks like this:

EV
-Root: AddTrustExternalCARoot.crt
-Intermediate 1: COMODOAddTrustServerCA.crt
-Intermediate 2: COMODOExtendedValidationSecureServerCA.crt
-End-Entity / Domain Certificate
InstantSSL
-Root: AddTrustExternalCARoot.crt
-Intermediate: ComodoHigh-AssuranceSecureServerCA.crt
-End-Entity / Domain Certificate
EssentialSSL
-Root: AddTrustExternalCARoot.crt
-Intermediate 1: UTNAddTrustSGCCA.crt
-Intermediate 2: ComodoUTNSGCCA.crt
-Intermediate 3: EssentialSSLCA_2.crt
-End-Entity / Domain Certificate
PositiveSSL
-Root: AddTrustExternalCARoot.crt
-Intermediate: PositiveSSLCA2.crt
-End-Entity / Domain Certificate

Download the archive with a chain of certificates on the Comodo website. By default, starting in 2014, new certificates from this center are issued in the SHA-2 encryption algorithm, which is more secure. Since not all client programs support the new algorithm, it is still possible to obtain a certificate chain in the SHA-1 algorithm.
Note : Archives with the [OLD] prefix refer to certificates issued earlier than 2012.

Geotrust
The certificate authority sends the certificate not in the archive, but in the body of the letter. It is located under the heading INTERMEDIATE CA.
You can download the complete certificate chain on the following pages of the official GeoTrust website:
RapidSSL - on this page.
QuickSSL, QuickSSL Premium - here.
True BusinessID / True BusinessID Wildcard - here.
True BusinessID with EV is here.

Thawte
You can download the Thawte Root certificate from this page.
Download Intermediate certificate - from this page.

VerySign
Offers download Root certificate on the page.
Intermediate certificates are presented on the page.

Note : Each certificate authority may offer intermediate certificates for downloading, depending on the year of issue of the certificate, the length of the encryption key, and the encryption algorithm. Please pay attention to these parameters, otherwise the connection will not be trusted in case of installation of an inappropriate certificate.
If you do not install an intermediate certificate, an encrypted connection may not work at all.

Comments


To leave a comment
If you have any suggestion, idea, thanks or comment, feel free to write. We really value feedback and are glad to hear your opinion.
To reply

Cryptographic ciphers

Terms: Cryptographic ciphers