TL;DR
No, an intermediate Certificate Authority (CA) cannot be trusted like a self-signed root CA. Root CAs are inherently trusted by operating systems and browsers. Intermediate CAs require explicit trust established through their root CA being trusted. You need to ensure the full chain of trust is present for secure connections.
Understanding Certificate Authorities
Before diving into intermediate CAs, let’s quickly cover the basics:
- Root CA: The top-level authority that issues certificates. Operating systems and browsers have a pre-defined list of trusted root CAs.
- Intermediate CA: A CA authorized by a Root CA to issue certificates on its behalf. This adds a layer of security – if an intermediate CA is compromised, the Root CA isn’t directly affected.
- Leaf Certificate: The certificate issued to your website or service (e.g., for HTTPS).
The chain of trust looks like this: Leaf Certificate → Intermediate CA → Root CA
Why Self-Signed Certificates are Different
A self-signed certificate is issued by the same entity it certifies. Because there’s no trusted third party, browsers and operating systems will warn users that the connection isn’t secure. They aren’t automatically trusted.
Why Intermediate CAs Aren’t Trusted Automatically
- Root CA is Key: Your computer trusts an intermediate CA because it trusts the Root CA that signed it. The trust doesn’t originate with the intermediate CA itself.
- Chain Validation: When your browser connects to a website using HTTPS, it checks the entire certificate chain. It verifies:
- The leaf certificate is valid and hasn’t expired.
- The intermediate CA signed the leaf certificate.
- A trusted Root CA signed the intermediate CA.
How to Establish Trust for an Intermediate CA
You don’t directly ‘trust’ an intermediate CA; you trust its root CA. Here’s how it works:
- Obtain a Certificate from a Reputable Provider: Use a well-known CA (e.g., Let’s Encrypt, DigiCert, Sectigo). They handle the Root CA and intermediate CA aspects for you.
- Install the Full Chain: When configuring your web server or application, ensure you install the entire certificate chain – not just the leaf certificate.
- For Apache, this often involves concatenating the leaf certificate with the intermediate CA certificate(s) into a single file.
- For Nginx, you’ll specify both the leaf certificate and the intermediate CA certificate in your configuration file.
- Verify Chain Installation: Use an online SSL checker tool (e.g., SSL Shopper) to confirm that the full chain is correctly installed and validated by browsers.
Example Nginx Configuration
Here’s a snippet showing how to configure an Nginx server with a full certificate chain:
server {
listen 443 ssl;
server_name example.com;
ssl_certificate /etc/nginx/ssl/example.com.crt; # Contains leaf + intermediate(s)
ssl_certificate_key /etc/nginx/ssl/example.com.key;
... other configuration ...
}What Happens if the Chain is Incomplete?
If your browser can’t validate the full chain (missing intermediate CA), it will display a warning message to the user, indicating an untrusted connection. This severely impacts user trust and security.
Public Key Infrastructure (PKI) Considerations
For more complex setups involving internal CAs, you may need to import the Root CA certificate into your operating system’s trusted root store. This is a more advanced topic and requires careful planning and execution.