What are Intermediate Root CA certificates?
All customers installing a GlobalSign SSL Certificate will need to install the appropriate Intermediate root CA onto their web servers. The installation needs to only be conducted once. Once installed, all browsers, applications and mobiles that recognize GlobalSign will trust GlobalSign SSL Certificates. If customers do not install the appropriate Intermediate root CA certificate, browsers, applications and mobiles will not be able to recognize GlobalSign SSL Certificates as being trusted. The Intermediate root CA certificates need only be installed on the web server and are NOT needed to be installed by visitors to your web site.
Why does GlobalSign use Intermediate root CA certificates?
GlobalSign has always adopted a high security model when issuing digital certificates. We use a trust chain that ensures that the primary GlobalSign root CA (i.e. the certificate that is pre-installed with all browsers, applications and mobiles) is “offline†and kept in a highly secure environment with stringently limited access. This means the root CA is not used to directly sign end entity SSL Certificates, as such GlobalSign employs a best practices approach for its Public Key Infrastructure therefore protecting against the major effects of a “key compromiseâ€. For example, a key compromise of the Root CA would render the root and all certificates issued by the root untrustworthy, and because we keep our root offline this (somewhat unlikely event) is significantly less likely to happen.
The use of Intermediate root CAs is utilized by all major Certification Authorities because of the extra security level they provide. Both GlobalSign and VeriSign have long adopted the use of Intermediate root CA certificates.
Figure One: Graphical Representation of the GlobalSign SSL Root CA Certificate Hierarchy
Figure One shows the high security CA root hierarchy (Public Key Infrastructure) deployed by GlobalSign.
Figure Two: OrganizationSSL Certification Path in Internet Explorer
This is how the certification path of a successfully installed OrganizationSSL and its Intermediates will look, where www.globalsign.com will be your common/domain name. Note that the DomainSSL certification path will use the 'GlobalSign Domain Validation CA' in place of the 'GlobalSign Organization Validation CA'.
Figure Three: ExtendedSSL Certification Path in Firefox
Using Firefox to view the certificate details of a successfully installed ExtendedSSL and its Intermediates shows you how the certification path will look. When using Internet Explorer 7 to view the certification path of an ExtendedSSL, you'll notice that there are only three certificates opposed to the four seen here because IE7 bypasses the Cross certificate and chains to a different Root.