InCommon/Sectigo/Comodo)
Understanding Root and Intermediate Certificates (InCommon/Sectigo/Comodo)
This knowledge base (KB) article provides developers and engineers with a foundational understanding of Root Certificates and Intermediate Certificates, their purpose, and how to download them for InCommon (Sectigo/Comodo). It also covers where and how they are used in enterprise environments.
1. What is a Root Certificate?
A Root Certificate is the foundation of the Certificate Chain of Trust. It is issued by a Certificate Authority (CA) to itself (self-signed) and is used to establish trust for all certificates issued under it. Since a root certificate is the highest level of trust, it must be pre-installed in trust stores (browsers, operating systems, and enterprise applications like Oracle Wallet or Active Directory).
Key Characteristics of a Root Certificate:
- Self-signed by the CA (e.g., Sectigo Root CA)
- Stored in the Trusted Root Certificate Store of an OS or application
- Used to validate Intermediate and End-entity certificates
- Should be installed only if missing from the system’s trust store
2. What is an Intermediate Certificate?
An Intermediate Certificate is issued by a Root CA and serves as a bridge between the root and end-entity certificates (e.g., SSL/TLS certificates used for web servers). Intermediate certificates enhance security by limiting direct exposure of the root certificate.
Key Characteristics of an Intermediate Certificate:
- Issued by a Root CA or another Intermediate CA
- Used to sign end-entity certificates (e.g., website SSL certificates)
- Reduces risk by allowing root certificates to remain offline
- Must be installed along with the end-entity certificate to establish full trust
3. Where and How Are Root and Intermediate Certificates Used?
Common Use Cases:
- SSL/TLS for Web Servers: Intermediate and root certificates establish trust in HTTPS connections.
- Enterprise Applications (Oracle Wallet, Java Keystores, AD CS, etc.): Used for secure application authentication.
- Email Security (S/MIME): Ensures secure email communication.
- Code Signing: Validates the authenticity and integrity of software.
- VPN & Wi-Fi Authentication: Enables secure authentication via certificates.
4. How to Download Sectigo Root and Intermediate Certificates
Sectigo (formerly Comodo and InCommon) provides publicly available root and intermediate certificates. You can download them from:
Sectigo Certificate Repository
To see what Root and Intermediate Certificates will be used for different types of Certificates provided through the InCommon Certificate Manager, see
InCommon Certificate Service Confluence
5. Installing Root and Intermediate Certificates
Linux (RHEL/CentOS):
sudo cp root_certificate.crt /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust extract
Windows:
- Open MMC (Win + R, type
mmc, press Enter).
- Add the Certificates Snap-in.
- Import the Root Certificate into Trusted Root Certification Authorities.
- Import the Intermediate Certificate into Intermediate Certification Authorities.
Note: Actual commands may vary depending on the operating system and version. Please refer to the vendors documentation for specific commands.
6. Verifying Installation
Linux:
openssl verify -CAfile root_certificate.crt intermediate_certificate.crt
Windows:
Check via certmgr.msc
7. Troubleshooting Tips
openssl s_client -connect example.com:443 -showcerts
- Ensure that both the root and intermediate certificates are installed.
- If a service fails to validate, check the certificate chain using:
Conclusion
Understanding root and intermediate certificates is crucial for maintaining secure communications in enterprise environments. By following this guide, you can successfully download, install, and manage Sectigo/InCommon certificates for your infrastructure.
For additional assistance, reach out to your infrastructure security team.