Intermediate certificate authorities
There are two types of certificate authorities (CAs), root CAs and intermediate CAs. In order for a certificate to be trusted, and often for a secure connection to be established at all, that certificate must have been issued by a CA that is included in the trusted store of the device that is connecting.
If the certificate was not issued by a trusted CA, the connecting device (e.g., a web browser) will then check to see if the certificate of the issuing CA was issued by a trusted CA, and so on until either a trusted CA is found (at which point a trusted, secure connection will be established) or no trusted CA can be found (at which point the device will usually display an error).
To facilitate this process of verifying a «chain» of trust, every certificate includes the fields «Issued To» and «Issued By». An intermediate CA will show different information in these two fields, showing a connecting device where to continue checking, if necessary, in order to establish trust.
Root CA certificates, on the other hand, are «Issued To» and «Issued By» themselves, so no further checking is possible or necessary in order to establish trust (or lack thereof).
For example, if a certificate issued to «example.com» and issued by «Intermediate CA1», and the visiting web browser trusts «Root CA», trust may be established in the following manner:
- Certificate 1 - Issued To: example.com; Issued By: Intermediate CA 1
- Certificate 2 - Issued To: Intermediate CA 1; Issued By: Intermediate CA 2
- Certificate 3 - Issued To: Intermediate CA 2; Issued By: Intermediate CA 3
- Certificate 4 - Issued To: Intermediate CA 3; Issued By: Root CA
The visiting web browser trusts «Root CA», and a secure connection can now be established. Since this process is often called «certificate chaining», intermediate CA certificates are sometimes called «chained certificates». For enhanced security purposes, most end user certificates today are issued by intermediate certificate authorities.
Installing an intermediate CA signed certificate on a web server or load balancer usually requires installing a bundle of certificates.
- a private key is generated on the big-ip and kept in the filestore (will be used later in your clientssl profile as 'key');
- a certificate signing request will be created for the specific hostname and with some specific attributes;
- you will submit the certificate signing request to a certificate authority (CA);
- the CA will return a signed certificate. You will import it into the TMOS filestore and use it in your clientssl profile as 'certificate';
- the CA will also provide a so-called intermediate CA file or chain certificate. It proves that your chosen CA is trusted by one of the root CAs. You will need the intermediate CA certificate as 'chain' certificate in your clientssl profile.
In a related but distinct usage of the phrase, «Intermediate CA» may refer to a certificate issuing organization that does not, or is unable to issue certificates that chain to a Root CA that is owned by that organization (perhaps due to practical limitations, such as certificate ubiquity). Such an organization may be classified by some as a white label reseller.
Here the ambiguity comes from the use of the term "certificate authority", which can refer either to a certificate issuing organization or the certificates used by those organizations to issue end-user certificates.