SSL Installing Intermediate Certificates

SSL Installing Intermediate Certificates

What is an intermediate certificate?

An intermediate certificate is a subordinate certificate issued by a trusted root specifically to issue end-entity certificates. The result is a certificate chain that begins at the trusted root CA, through the intermediate CA (or CAs) and ending with the SSL certificate issued to you. Such certificates are called chained root certificates.  The InCommon trust chain is described here.

Using intermediate certificates does not cause installation, performance, or compatibility issues.

Why use intermediate certificates?

Creating certificates directly from the CA root certificate increases the risk of root certificate compromise, and if the CA root certificate is compromised, the entire trust infrastructure built by the SSL provider will fail. The usage of intermediate certificates for issuing SSL certificates to end entities, therefore, reduces risk. 

You must install the intermediate certificate in your Web server along with your issued SSL certificate.  Almost all commercial certificate vendors use intermediate certificates.  As the Intermediate Certificate is issued by the Trusted Root CA, any SSL Certificates issued by the Intermediate Certificate inherits the trust of the Trusted Root - effectively creating a certification chain of trust.  A sample trust chain including an intermediate cert:

Cert_Final.jpg

How to install intermediate certificates

The intermediate certificate, or certificates, completes the chain to a root certificate trusted by the browser.  During SSL negotiation, the server send the trust chain to the client to assist the client in building and verifying the trust chain.

Different server software has different methods of installing the intermediate certificates on the server.  Comodo articles on how to install intermediate certificates for Apache and IIS are linked below. 

Apache:https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=264&nav=0,1

IIS:https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=487&nav=0,1,88

If you continue to have a problem with the trust chain (unknown authority), feel free to contact us.

How to verify that your intermediate certificates are installed correctly

Typically, after installing a certificate on a server we test the installation using various browsers. This works okay as long as you delete the intermediate certificate (not the root certificate) from your browser.  During SSL negotiation the server should send the end entity certificate and the intermediate certificate to the client (browser), if the intermediate certificate is properly installed on the server.  In our case, this should be the InCommon intermediate certificate (fingerprint). 

Alternatively if you have openssl available, you can test whether or not the intermediate certificate is installed correctly by executing this command:

openssl s_client -showcerts -connect lists.wisc.edu:443

OR

openssl s_client -connect webservertotest.wisc.edu:443 -CAfile AddTrustRoot.cer

The command should return status code of 0 if everything is in order.

Note: Use the appropriate substitution for your particular situation.  For example, replace "webservertotest.wisc.edu" with the CN of the webserver you are configuring, modify the port number if needed, and make sure you have a copy of the root certificate which I named "AddTrustRoot.cer" 

Alternatively, you can use the following on-line tool to test your web site.

http://www.ssltool.com/?action=sslCheckOpenSSL

Are there any known problems with the use of Intermediate Certificates?

No. All web browsers developed after Internet Explorer 3 and Netscape 3 use SSL version 3 as standard. The previous versions SSL V2.0 and V1.0 had inherent security flaws meaning their usage has been virtually eliminated.

One more thing .. sometimes a SSL client cares in what order it receives the trust chain

Some devices require that the intermediate and root are a certain order in the CA bundle, if the root is included in the bundle. A bundle is typically a pem file with more than one certificate in it.  For example, the Android OS requires that a server present the root first and then the intermediate. Not intermediate, then root. Vendors suggest not including the root at all in the cabundle since the client should already trust the root to avoid these problems. Google suggests it can help with performance not to include the root.




Keywords: server certificates ssl incommon comodo   Doc ID: 18923
Owner: Matt A.Group: Office of Campus Information Security
Created: 2011-06-19 19:00 CDTUpdated: 2014-05-23 14:22 CDT
Sites: DoIT Help Desk, DoIT Staff, Office of Campus Information Security