What are Intermediate Root CA certificates?
All customers installing a GlobalSign SSL Certificate will need to install the appropriate Intermediate root CA onto their web servers.  The installation needs to only be conducted once.  Once installed, all browsers, applications and mobiles that recognize GlobalSign will trust GlobalSign SSL Certificates.  If customers do not install the appropriate Intermediate root CA certificate, browsers, applications and mobiles will not be able to recognize GlobalSign SSL Certificates as being trusted.  The Intermediate root CA certificates need only be installed on the web server and are NOT needed to be installed by visitors to your web site.

Why does GlobalSign use Intermediate root CA certificates?
GlobalSign has always adopted a high security model when issuing digital certificates.  We use a trust chain that ensures that the primary GlobalSign root CA (i.e. the certificate that is pre-installed with all browsers, applications and mobiles) is “offline” and kept in a highly secure environment with stringently limited access.  This means the root CA is not used to directly sign end entity SSL Certificates, as such GlobalSign employs a best practices approach for its Public Key Infrastructure therefore protecting against the major effects of a “key compromise”.  For example, a key compromise of the Root CA would render the root and all certificates issued by the root untrustworthy, and because we keep our root offline this (somewhat unlikely event) is significantly less likely to happen.

The use of Intermediate root CAs is utilized by all major Certification Authorities because of the extra security level they provide.  Both GlobalSign and VeriSign have long adopted the use of Intermediate root CA certificates.

Figure One: Graphical Representation of the GlobalSign SSL Root CA Certificate Hierarchy

GlobalSign SSL Root Hierarchy

Figure One shows the high security CA root hierarchy (Public Key Infrastructure) deployed by GlobalSign.

Figure Two: OrganizationSSL Certification Path in Internet Explorer

Certification Path of an OrganizationSSL

This is how the certification path of a successfully installed OrganizationSSL and its Intermediates will look, where www.globalsign.com will be your common/domain name. Note that the DomainSSL certification path will use the 'GlobalSign Domain Validation CA' in place of the 'GlobalSign Organization Validation CA'.

Figure Three: ExtendedSSL Certification Path in Firefox

Certification Path of an ExtendedSSL

Using Firefox to view the certificate details of a successfully installed ExtendedSSL and its Intermediates shows you how the certification path will look. When using Internet Explorer 7 to view the certification path of an ExtendedSSL, you'll notice that there are only three certificates opposed to the four seen here because IE7 bypasses the Cross certificate and chains to a different Root.


Was this answer helpful?

Related Articles

http://www.globalsign.com/ssl/buy-ssl-certificates/secure-site-seal/
This can occur if you are forcing the web server to load content over http rather than https when you are in SSL mode. Check your HTML and make...
The name of the site is specified within the certificate in the "Issued to" field. This must match whatever is being displayed in the address bar....
Our SSL Certificates are sold as a one time product with various validity periods, this means the product will not auto renew when your chosen...
To test your new certificate, open a browser and type your server's Fully Qualified Domain Name with https:// i.e https://www.globalsign.com...