An intermediate certificate is a subordinate certificate that must be signed by a trusted root certificate or another intermediate certificate.
All web browsers come with an extensive built-in list of trusted root certificates, controlled by Certificate Authorities. Root certificates are not used to sign all certificates or intermediate SSL certificates, as the private key of the root certificate must be secured with the highest level of protection. Access to the root certificate must be restricted. Any compromise of the root certificate’s key would render the complete certificate chain built by the certificate provider as untrustworthy. Intermediate certs are used to sign end-entity SSL certificates as well as other intermediate certs. They function as an intermediate between the root cert and the end-entity or client. The resulting certificate chain commences at the root CA continues through the intermediate CA and ends with the end-entity certificates. These are considered as chained root certificates. Intermediate certificates must always be created with a validity lesser than that of the root certificate.
There are many different types of servers and different types of server software. Each of the server-software combinations requires different methods of installing intermediate certificates. Refer to the below-mentioned link for instructions to install Intermediate Certificates for Apache, NGINX, IIS web servers, etc..,
https://support.comodo.com/index.php?/Knowledgebase/Article/View/633/0/certificate-installation-microsoft-iis-5x--6x https://support.comodo.com/index.php?/Knowledgebase/Article/View/1159/0/certificate-installation-microsoft-iis-8x https://support.comodo.com/index.php?/Knowledgebase/Article/View/1091/0/certificate-installation--nginx https://support.comodo.com/index.php?/Knowledgebase/Article/View/637/0/certificate-installation-apache--mod_ssl
An intermediate certificate authority is an entity that is authorized to sign certificates. The root CA must sign all certificates, however, for security reasons the intermediate CA signs certificates on behalf of the root CA. The intermediate certificate is signed by the root CA.
Check the details of intermediate certificate and verify if they are correct. Next, verify the intermediate certificate against the root certificate. The CA certificate chain must be complete.
Whenever a web browser attempts to verify an end-entity (client) certificate signed by the intermediate CA, the intermediate certificate must be checked against the root certificate through the certificate chain.
End entity certificates chained to an intermediate certificate represent the highest possible security solution for Certification Authorities and therefore their customers. There exists a very small possibility, consistent amongst all certification authorities, that the certificate used to sign end entity certificates could be compromised. The signing process itself mandates that the signing certificate must be accessible in order to perform the signing operation. In the case of an intermediate certificate, the corresponding root certificate is secured/locked away, eliminating the possibility of it being compromised by daily signing processes. End entity certificates directly signed by root certificates (i.e. no intermediate protection) provide no recourse should the root certificate itself become compromised. If an Intermediate were to be compromised then new intermediates could be created and new end entity certificates could be issued.
Once a root itself is compromised there is no solution or replacement strategy. It is therefore considered industry best practice to use intermediate certificates.
Intermediates also help by constraining the size of the Certificate Revocation List (CRL) associated with a certificate product. By periodically rolling over the intermediate CA that signs the end entity certificates CRL’s are kept to a minimum. Maintaining optimal CRL sizes ensures that customers have a smooth and seamless experience visiting Secure Sockets Layer(SSL)-secured websites while full security is maintained transparently to customers/end users.
All the popular web servers’ support chained certificates and have done so for quite some time.
For IIS. Both Microsoft IIS 5.0 and IIS 6.0 are fully PKCS#7 compliant whereby they will automatically parse the certificate extract the new intermediate and install it in the appropriate certificate store. (Root certificates are also installed if previously removed from the server)
For Apache. Major CAs will deliver a ‘bundled’ file containing the complete certificate chain providing a single installation method for the certificate.