Home/ Glossary/ Root Certificate

Root Certificate (Root Certificate)

Security Glossary - SSL/TLS

Definition: A root certificate is a self-signed certificate issued by a root Certificate Authority. It sits at the top of the certificate chain of trust. Operating systems and browsers ship with a pre-installed set of trusted root certificates, and any certificate chain that leads back to one of these roots is considered trusted.

Why Root Certificate Matters

Root certificates are the ultimate trust anchors for the entire web PKI (Public Key Infrastructure). Every HTTPS connection ultimately depends on the browser trusting a root certificate. If a root CA's key is compromised, every certificate it has ever signed - directly or through intermediates - becomes suspect.

Because of this enormous trust, root CA keys are stored in heavily secured, air-gapped hardware security modules and are used infrequently. Day-to-day certificate issuance is done by intermediate CAs. The root signs the intermediate's certificate once, and then the root key goes back into secure storage.

Browser and OS vendors maintain root certificate programs (Apple Root Program, Mozilla Root Program, Microsoft Trusted Root Program) that set the requirements CAs must meet. CAs that fail to meet these standards can be removed, as happened with WoSign/StartCom and Symantec. Website operators do not directly interact with root certificates, but should be aware that the trustworthiness of their certificate chain depends on the root CA's standing in these programs.

How to Check

An SSL checker shows the complete certificate chain including which root CA anchors the trust. You can also view the root by clicking the lock icon in your browser and inspecting the certificate details. If your certificate chain does not lead to a widely trusted root, you will see trust warnings.

Check SSL Certificate

Frequently Asked Questions

What happens if a root certificate expires?
Root certificates typically have very long validity periods (20-30 years). When one does expire, the CA issues a new root and cross-signs it with the old one during a transition period. Older devices that do not receive trust store updates may fail to connect.
Can I add my own root certificate?
On devices you control, yes. Organizations often add internal root certificates for corporate proxies or internal services. However, adding a root certificate means trusting everything it signs, so this should only be done for your own controlled CAs.

Related Terms

Certificate Chain of Trust Intermediate Certificate Certificate Authority SSL/TLS Certificate Certificate Transparency
Disclaimer: DomainOptic provides automated informational scans only. Results do not constitute professional security advice, compliance certification, or a guarantee of security. Always verify findings independently.