Root and intermediate certificates

27 September 2021

SSL certificates are at the heart of connecting securely to websites. This article looks at where SSL certificates come from and how you can check the SSL certificate for your domain.

The chain of trust

SSL certificates use a chain of trust. The starting point of the chain is a root certificate. This is a public key certificate signed by a root Certificate Authority (CA). As an end user you don’t get an SSL certificate directly from a root CA. Instead, you use an intermediate CA. However, there is a chain between the root and intermedia CA. The intermediate certificate is signed with the root CA’s certificate to show that the certificate can be trusted.

The root certificate is also known as trusted root, which begs the question if root certificates can be trusted. The answer is: not always. There have been cases of root CAs that have been distrusted because of various issues. One of the most well-known examples is WoSign.

Root Stores

A root certificate that is distrusted is removed from root stores. There are a couple of major root stores, run by Microsoft, Apple, Mozilla and Google. These vendors include trusted public key certificates with the operating system or browser. If a website’s SSL certificate doesn’t link back to one of the trusted root certificates you will see an SSL error.

Different root stores have different requirements for root CAs. In general, Mozilla’s root store is quite strict and all its work done in the open, while Microsoft’s root store is less transparent and contains a larger number of root CAs.

Managing root certificates

Operating systems and web browsers let you check the chain of trust and manage the root store. So, if you want you can distrust a certificate on your system.

To illustrate, the below image shows the root certificate details for the domain www.catalyst2.com (that’s us!). I checked the details in Firefox, but you can get the information via any web browser. Typically, you have to click on the lock icon in the URL bar and then look for the certificate details.

The other two tabs in the below image provide details about the intermediate certificate and the SSL certificate for www.catalyst2.com.

Image: viewing certificate details.

In Firefox, you can manage root certificates via the Certificate Manager: open about:preferences#privacy and select View Certificates. The below image shows the DigiCert Global Root CA certificate.

Image: checking the DigiCert root certificate.

As said, you can distrust a certificate. Doing so might break a lot of websites though. Unless you have a good reason to distrust a root certificate you probably want to trust that root stores know what they are doing.

Most other web browsers also have their own root store. Chromium, which is the basis for Google Chrome and the plethora of Chrome-clones, used to rely on the underlying operating system but switched to its own Chrome Root Program in late 2020.

Root stores on operating systems

Operating system include a root store as well. On RHEL8-based systems you find the root certificates in /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem. The certificates included in the file are based on Mozilla’s CA Certificate Progam, although RHEL distributions can make changes to the defaults. The man page for ca-certificates is a good starting point for learning more about root certificates on RHEL-based systems.

Dealing with errors

One of the things you can check when you get an SSL error is whether or not the certificate is trusted. This is unlikely to be the error, but it is a possible cause – in particular if people using a particular operating system or web browser report SSL errors. It may be that their root store doesn’t trust the root certificate.

You can get lots of details about your SSL certificate via the Qualys SSL Labs checker, which I wrote about in a previous article. You can run the same SSL certificate checks on the command line using the sslabs-scan utility.

Among many other things, SSL Labs checks if the root certificate is trusted in the root store on different devices. For instance, this is the output of the check for the www.catalyst2.com certificate:

$ podman run --rm -it jumanjiman/ssllabs-scan:latest --quiet https://catalyst2.com > catalyst2.com.json
$ jq '.[].endpoints[].details.certChains[].trustPaths[].trust' catalyst2.com.json
[
  {
    "rootStore": "Mozilla",
    "isTrusted": true
  }
]
[
  {
    "rootStore": "Apple",
    "isTrusted": true
  }
]
[
  {
    "rootStore": "Android",
    "isTrusted": true
  }
]
[
  {
    "rootStore": "Java",
    "isTrusted": true
  }
]
[
  {
    "rootStore": "Windows",
    "isTrusted": true
  }
]

The output shows that the certificate is trusted by all root stores, which is good. Obviously, if that is not the case for your certificate then you need to further investigate the issue.