About Intermediate Certificates

What are Intermediate Root CA certificates?
All customers installing a GlobalSign SSL Certificate will need to install the appropriate Intermediate root CA onto their web servers.  The installation needs to only be conducted once.  Once installed, all browsers, applications and mobiles that recognize GlobalSign will trust GlobalSign SSL Certificates.  If customers do not install the appropriate Intermediate root CA certificate, browsers, applications and mobiles will not be able to recognize GlobalSign SSL Certificates as being trusted.  The Intermediate root CA certificates need only be installed on the web server and are NOT needed to be installed by visitors to your web site.

Why does GlobalSign use Intermediate root CA certificates?
GlobalSign has always adopted a high security model when issuing digital certificates.  We use a trust chain that ensures that the primary GlobalSign root CA (i.e. the certificate that is pre-installed with all browsers, applications and mobiles) is “offline” and kept in a highly secure environment with stringently limited access.  This means the root CA is not used to directly sign end entity SSL Certificates, as such GlobalSign employs a best practices approach for its Public Key Infrastructure therefore protecting against the major effects of a “key compromise”.  For example, a key compromise of the Root CA would render the root and all certificates issued by the root untrustworthy, and because we keep our root offline this (somewhat unlikely event) is significantly less likely to happen.

The use of Intermediate root CAs is utilized by all major Certification Authorities because of the extra security level they provide.  Both GlobalSign and VeriSign have long adopted the use of Intermediate root CA certificates.

Figure One: Graphical Representation of the GlobalSign SSL Root CA Certificate Hierarchy

GlobalSign SSL Root Hierarchy

Figure One shows the high security CA root hierarchy (Public Key Infrastructure) deployed by GlobalSign.

Figure Two: OrganizationSSL Certification Path in Internet Explorer

Certification Path of an OrganizationSSL

This is how the certification path of a successfully installed OrganizationSSL and its Intermediates will look, where www.globalsign.com will be your common/domain name. Note that the DomainSSL certification path will use the 'GlobalSign Domain Validation CA' in place of the 'GlobalSign Organization Validation CA'.

Figure Three: ExtendedSSL Certification Path in Firefox

Certification Path of an ExtendedSSL

Using Firefox to view the certificate details of a successfully installed ExtendedSSL and its Intermediates shows you how the certification path will look. When using Internet Explorer 7 to view the certification path of an ExtendedSSL, you'll notice that there are only three certificates opposed to the four seen here because IE7 bypasses the Cross certificate and chains to a different Root.

  • 14 Users Found This Useful
Was this answer helpful?

Related Articles

Who do I contact for SSL Certificate issues?

Pre-Sales For any pre-sales enquiries relating to SSL Certificates or if you require a CSR...

I have moved servers / hosting providers. Can I use the same SSL Certificate?

Providing that the domain name does not change the same certificate be used. The certificate can...

How do I renew my certificate? Will it cost the same as before?

Our SSL Certificates are sold as a one time product with various validity periods, this means the...

What is SSL?

The SSL (secure socket layer) protocol is the Web standard for encrypting communications between...

SSL Intermediate and Root Certificates | GlobalSign.com

You must install the appropriate GlobalSign intermediate certificate on to your server for your...