Intermediate certificates

Intermediate certificate are used to determine if a certificate is issued by a valid and trusted root certification authority (CA).

The certificate chain or certification path is a list of certificates with intermediate certificate issuers. The certificate chain or certification path verification check starts with a leaf certificate and each certificate in the chain is checked by the entity identified by the next certificate in the chain until the root certificate is verified.

The certificate chain verification will fail if following sample conditions are encountered:
  • Certificates are expired.
  • Certificates do not have a valid signature.
  • Certificates do not have a valid issuing CA.

The server makes intermediate certificates available to the client as part of the secure connection established between the client and server. An intermediate certificate is used to determine if a certificate was issued by a valid root CA. The root CA certificate issues or signs the intermediate certificate, and the intermediate certificate issues or signs a TLS certificate. If the intermediate certificate is not installed on the sever where the TLS certificate is installed, then applications might not trust the server TLS certificate. To have clients trust the TLS certificate, you must make the intermediate certificates available on the server.