Education Center

Difference between Root CA and Intermediate CA

Root CAs have multiple roots in trust stores of major browsers. However, the intermediate CAs, which are created from the root CAs, do not have roots in the trust stores. The intermediate roots instead link back to the trusted third-party root CAs.

Root CAs are kept offline and they issue certificates only to the intermediate CAs, and not to the end users as this would compromise the security posture. Intermediate CAs have their certificates issued by the root CA and are used to sign end-user and server certificates. Multiple intermediate CAs can be configured between the root CA and the end-user certificate, creating the certificate trust chain.

Let’s get you started on your certificate automation journey

Intermediate certificates are cross-signed certificates, whereas, the root certificates are self-signed.

Root CAs form the foundation of the certificate chain of trust model, while the primary objective of the intermediate CAs is to provide an additional level of security in case of any mis-issuance or cyber threats.