End entity certificates chained to an intermediate certificate represent the highest possible security solution for Certification Authorities and therefore their customers. There exists a very small possibility, consistent amongst all certification authorities, that the certificate used to sign end entity certificates could be compromised. The signing process itself mandates that the signing certificate must be accessible in order to perform the signing operation. In the case of an intermediate certificate, the corresponding root certificate is secured/locked away, eliminating the possibility of it being compromised by daily signing processes. End entity certificates directly signed by root certificates (i.e. no intermediate protection) provide no recourse should the root certificate itself become compromised. If an Intermediate were to be compromised then new intermediates could be created and new end entity certificates could be issued.
Once a root itself is compromised there is no solution or replacement strategy. It is therefore considered industry best practice to use intermediate certificates.
Intermediates also help by constraining the size of the Certificate Revocation List (CRL) associated with a certificate product. By periodically rolling over the intermediate CA that signs the end entity certificates CRL’s are kept to a minimum. Maintaining optimal CRL sizes ensures that customers have a smooth and seamless experience visiting Secure Sockets Layer(SSL)-secured websites while full security is maintained transparently to customers/end users.
All the popular web servers’ support chained certificates and have done so for quite some time.
For IIS. Both Microsoft IIS 5.0 and IIS 6.0 are fully PKCS#7 compliant whereby they will automatically parse the certificate extract the new intermediate and install it in the appropriate certificate store. (Root certificates are also installed if previously removed from the server)
For Apache. Major CAs will deliver a ‘bundled’ file containing the complete certificate chain providing a single installation method for the certificate.