Intermediate CA Certificates Explained
Learn why intermediate CA certificates exist, how they fit in the chain of trust, and how to troubleshoot missing intermediate certificates that cause TLS validation failures.
Detailed Explanation
What Are Intermediate Certificates?
An intermediate certificate (also called a subordinate CA certificate) is a certificate issued by a root CA to an intermediate CA, which then issues end-entity certificates to websites and services. Intermediate certificates form the middle link in the certificate chain.
Why Intermediate CAs Exist
Root CA private keys are extraordinarily valuable — if compromised, every certificate issued by that root (and all its intermediates) would be untrusted. To protect root keys:
- Root keys are kept offline — stored in Hardware Security Modules (HSMs) in physically secured vaults
- Intermediates handle daily operations — they sign the actual server certificates
- Damage containment — if an intermediate key is compromised, only that intermediate's certificates are affected, not the entire root hierarchy
This separation is called the defense-in-depth model for PKI (Public Key Infrastructure).
Identifying Intermediate Certificates
When you decode an intermediate certificate, you will see:
Subject: C=US, O=Let's Encrypt, CN=R3
Issuer: C=US, O=Internet Security Research Group, CN=ISRG Root X1
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
Key indicators:
- Subject != Issuer (unlike self-signed root CAs)
- Basic Constraints: CA:TRUE — authorized to sign other certificates
- pathlen:0 — can only sign end-entity certificates, not other intermediate CAs
The Missing Intermediate Problem
This is the most common TLS misconfiguration. When a server sends only its end-entity certificate without the intermediate:
❌ End-Entity → ??? → Root CA (gap in chain)
✅ End-Entity → Intermediate → Root CA (complete chain)
Why some browsers still work — browsers like Chrome and Firefox maintain an intermediate certificate cache from previous browsing sessions. If the browser has seen the intermediate before (from any site), it can fill in the gap. This makes the problem intermittent and hard to diagnose.
Why API clients fail — command-line tools (curl, wget), programming language HTTP clients, and mobile apps do NOT cache intermediates. They require the server to send the complete chain.
How to Fix Missing Intermediates
- Download the intermediate from your CA's documentation
- Create a full chain file:
cat your-server.crt intermediate.crt > fullchain.pem
- Configure your server to use the full chain:
- Nginx:
ssl_certificate fullchain.pem; - Apache:
SSLCertificateChainFile intermediate.crt;
- Nginx:
Testing for Missing Intermediates
# This will show all certificates sent by the server
openssl s_client -connect example.com:443 -showcerts
# Online test
# SSL Labs (ssllabs.com) flags incomplete chains prominently
Intermediate Certificate Rotation
CAs periodically rotate their intermediate certificates. When this happens, you need to update the intermediate certificate on your server. Let's Encrypt, for example, transitioned from the "R3" intermediate (signed by ISRG Root X1) and periodically introduces new intermediates.
Use Case
Troubleshoot TLS connection failures caused by missing intermediate certificates. Ensure your server's SSL configuration includes the full certificate chain for maximum client compatibility.