SSL/TLS Installing Intermediate Certificates

This document includes helpful information to describe what an intermediate certificate is, what they're used for and how to implement them. User's can follow the instructions to install the intermediate certificate and verify that it is installed correctly.
What is an intermediate certificate?

An intermediate certificate is a subordinate certificate issued by a trusted root specifically to issue end-entity certificates. The result is a certificate chain that begins at the trusted root CA, through the intermediate CA (or CAs) and ending with the SSL certificate issued to you. Such certificates are called chained root certificates.  The InCommon trust chain is described here.

Using intermediate certificates does not cause installation, performance, or compatibility issues.

Why use intermediate certificates?

Creating certificates directly from the CA root certificate increases the risk of root certificate compromise, and if the CA root certificate is compromised, the entire trust infrastructure built by the SSL provider will fail. The usage of intermediate certificates for issuing SSL certificates to end entities, therefore, reduces risk. 

You must install the intermediate certificate in your Web server along with your issued SSL certificate.  Almost all commercial certificate vendors use intermediate certificates.  As the Intermediate Certificate is issued by the Trusted Root CA, any SSL Certificates issued by the Intermediate Certificate inherits the trust of the Trusted Root - effectively creating a certification chain of trust.  A sample trust chain including an intermediate cert:


How to install intermediate certificates

The intermediate certificate, or certificates, completes the chain to a root certificate trusted by the browser.  During SSL negotiation, the server send the trust chain to the client to assist the client in building and verifying the trust chain.

Different server software has different methods of installing the intermediate certificates on the server.  Comodo articles on how to install intermediate certificates for Apache and IIS are linked below. 

Apache: Click Here

IIS: Click Here

If you continue to have a problem with the trust chain (unknown authority), feel free to contact us.

How to verify that your intermediate certificates are installed correctly

Typically, after installing a certificate on a server we test the installation using various browsers. This works okay as long as you delete the intermediate certificate (not the root certificate) from your browser.  During SSL negotiation the server should send the end entity certificate and the intermediate certificate to the client (browser), if the intermediate certificate is properly installed on the server.  In our case, this should be the InCommon intermediate certificate (fingerprint). 

Alternatively if you have openssl available, you can test whether or not the intermediate certificate is installed correctly by executing this command:

openssl s_client -showcerts -connect


openssl s_client -connect -CAfile AddTrustRoot.cer

The command should return status code of 0 if everything is in order.

Note: Use the appropriate substitution for your particular situation.  For example, replace "" with the CN of the webserver you are configuring, modify the port number if needed, and make sure you have a copy of the root certificate which I named "AddTrustRoot.cer" 

Alternatively, you can use the following on-line tool to test your web site.

Are there any known problems with the use of Intermediate Certificates?

No. All web browsers developed after Internet Explorer 3 and Netscape 3 use SSL version 3 as standard. The previous versions SSL V2.0 and V1.0 had inherent security flaws meaning their usage has been virtually eliminated.

One more thing .. sometimes a SSL client cares in what order it receives the trust chain

Some devices require that the intermediate and root are a certain order in the CA bundle, if the root is included in the bundle. A bundle is typically a pem file with more than one certificate in it.  For example, the Android OS requires that a server present the root first and then the intermediate. Not intermediate, then root. Vendors suggest not including the root at all in the cabundle since the client should already trust the root to avoid these problems. Google suggests it can help with performance not to include the root.

Keywordsserver certificates ssl tls incommon comodo sectigo   Doc ID18923
OwnerJake S.GroupSSL Server Certificates
Created2011-06-19 19:00:00Updated2023-08-02 15:27:38
SitesDoIT Help Desk, SSL Server Certificates
Feedback  2   0