Intermediate Certificates – What’s the Big Deal?
Intermediate certificates provide maximum browser and server coverage to ensure visitors won’t receive “invalid SSL” warnings when they visit your site.
Most Web browsers and servers include one or more of our trusted root certificates, either Starfield Technologies, Go Daddy or Valicert. The intermediate certificate bundle “chains” your SSL certificate to our trusted root certificates, letting your certificate secure connections with older browsers that might have only our original Valicert root certificate.
Additionally, Certificate Path Validation lets Web browsers look for the best path to a trusted root that can validate and complete the chain for a certificate. In other words, intermediate certificates provide browsers more options.
For example, click the below image.
This is the certificate chain for email.secureserver.net.
The top certificate represents the SSL certificate issued to email.secureserver.net. The middle two represent the signing intermediate and the “Cross” certificate for Starfield Technologies. The bottom certificate represents the Valicert root, which is the original Go Daddy root certificate.
The Cross certificate is specifically designed to allow chaining through the Valicert root certificate.
Now, click the image below to take a look at how Firefox® 4 views the same certificate chain.
The certificate for email.secureserver.net is chained to a Starfield Secure Certification Authority, which is the same signing intermediate certificate from the first example. The root certificate that completes this chain is the Builtin Object Token: Starfield Class 2 CA.
Why is it different? In this case, Firefox used Certificate Path Validation to determine that the Starfield root certificate was the best path to validate and complete the chain. Without the intermediate certificate bundle, older browsers that don’t have the Starfield root would not be able to make a secure connection.
Comments are closed.