Home/ Glossary/ Intermediate Certificate

Intermediate Certificate (Intermediate Certificate)

Security Glossary - SSL/TLS

Definition: An intermediate certificate sits between the root certificate and the end-entity (server) certificate in the chain of trust. The root CA signs the intermediate, and the intermediate signs server certificates. This structure protects the root key by keeping it offline while the intermediate handles daily certificate issuance.

Why Intermediate Certificate Is Important

Intermediate certificates exist primarily to protect root certificate private keys. If an intermediate CA key is compromised, the root CA can revoke just that intermediate without affecting certificates signed by other intermediates. If the root key itself were compromised, the entire CA would need to be distrusted.

The most common SSL configuration error is failing to install intermediate certificates on the server. When this happens, the server sends only its own certificate without the intermediates needed to complete the chain to the root. Some desktop browsers can work around this by fetching intermediates using the Authority Information Access (AIA) extension, but mobile devices and non-browser clients often cannot.

Most CAs provide a "full chain" or "bundle" file that includes all necessary intermediates. When configuring your web server (Apache, Nginx, etc.), you must include this bundle file alongside your server certificate. Missing intermediates cause intermittent failures that are hard to debug because they only affect certain clients.

Checking Your Setup

Use an SSL checker to verify your server sends the complete certificate chain. The tool will flag missing intermediates. If you see "incomplete chain" warnings, download the correct intermediate bundle from your CA and reconfigure your server to include it.

See how your site handles Intermediate Certificate

Check SSL Certificate

Common Questions About Intermediate Certificate

How many intermediate certificates are typical?
Most certificate chains have one or two intermediates between the server certificate and the root. Let's Encrypt uses one intermediate (like R3 or R10). Some CAs use two levels of intermediates for additional organizational separation.
Where do I get the intermediate certificate?
Your Certificate Authority provides the intermediate certificate, usually as a 'CA bundle' or 'chain file' alongside your server certificate. For Let's Encrypt, Certbot automatically downloads and configures the full chain.

See Also

Certificate Chain of Trust Root Certificate SSL/TLS Certificate Certificate Authority SSL/TLS Handshake
Disclaimer: DomainOptic provides automated informational scans only. Results do not constitute professional security advice, compliance certification, or a guarantee of security. Always verify findings independently.