Intermediate Certificates sit between an end Entity Certificate and a Root Certificate. They help complete a “Chain of Trust” from your Certificate back to GlobalSign’s Root Certificate.
Figure One: Graphical Representation of the GlobalSign SSL Root CA Certificate Hierarchy
Customers installing a GlobalSign SSL Certificate must install the appropriate Intermediate Certificate onto their web servers. This installation is only necessary once. After installation, all browsers, applications, and hardware that recognize GlobalSign will trust GlobalSign SSL Certificates. If customers do not install the appropriate Intermediate Certificate then browsers, applications, and hardware will not be able to recognize GlobalSign SSL Certificates as being trusted. The Intermediate Certificates do not need to be installed by visitors to your web site.
Figure Two: OrganizationSSL Certification Path in Internet Explorer
The Intermediate Certificates for each product can be found at the following URL:
Select your product type, then choose the type of Certificate you need based on key size or hash algorithm.
GlobalSign has always adopted a high security model when issuing Digital Certificates. We use a trust chain that ensures that the primary GlobalSign root CA (i.e., the Certificate that is pre-installed with all major browsers, applications, and mobiles/hardwares) is “offline” and kept in a highly secure environment with stringently limited access. This means the root CA is not used to directly sign end entity SSL Certificates. As such, GlobalSign employs a best practices approach for its public key Infrastructure by protecting against the major effects of a “key compromise”. A key compromise of the root CA would render the root and all Certificates issued by the root untrustworthy. By keeping our root offline the key is significantly less likely to become compromised.
Intermediate Certificates are used by all major Certification Authorities because of the extra security level they provide. GlobalSign has a long-standing history of using Intermediate Certificates for this reason.
Figure Three below shows how the certification path of a successfully installed OrganizationSSL Certificate and its intermediates will look, where "www.globalsign.com" would be your common/domain name.
Note: The DomainSSL certification path will use the "GlobalSign Domain Validation CA'"in place of the "GlobalSign Organization Validation CA".
Figure Three: ExtendedSSL Certification Path in Firefox
Using Firefox to view the Certificate details of a successfully installed ExtendedSSL and its intermediates shows you how the certification path will look. When using Internet Explorer 7 to view the certification path of an ExtendedSSL, you will notice that there are only three Certificates opposed to the four seen here. This is because IE7 bypasses the Cross Certificate and chains to a different root.