Overview - Intermediate Root Certificates
What are Intermediate Root CA Certificates?
Intermediate certificates sit between an end entity certificate and a root certificate. They help complete a “Chain of Trust” from your certificate back to GlobalSign’s root certificate.
Customers installing a GlobalSign SSL certificate must install the appropriate intermediate root CA onto their web servers. This installation is only necessary once. After installation, all browsers, applications, and mobiles that recognize GlobalSign will trust GlobalSign SSL certificates. If customers do not install the appropriate intermediate root CA certificate then browsers, applications, and mobiles will not be able to recognize GlobalSign SSL certificates as being trusted. The intermediate root CA certificates do not need to be installed by visitors to your web site.
Where are the Intermediate Root Certificates located on the support site?
The intermediate root certificates for each product can be found at the following url:
Select your product type, then choose your intermediate based on when you ordered your certificate.
Why Does GlobalSign Use Intermediate Root CA Certificates?
GlobalSign has always adopted a high security model when issuing digital certificates. We use a trust chain that ensures that the primary GlobalSign root CA (i.e., the certificate that is pre-installed with all browsers, applications, and mobiles) is “offline” and kept in a highly secure environment with stringently limited access. This means the root CA is not used to directly sign end entity SSL certificates. As such, GlobalSign employs a best practices approach for its public key Infrastructure by protecting against the major effects of a “key compromise”. A key compromise of the root CA would render the root and all certificates issued by the root untrustworthy. By keeping our root offline the key is significantly less likely to become compromised.
The use of intermediate root CAs is utilized by all major Certification Authorities because of the extra security level they provide. GlobalSign has a long-standing history of using of intermediate root CA certificates for this reason.
Figure One: Graphical Representation of the GlobalSign SSL Root CA Certificate Hierarchy
Figure Two: OrganizationSSL Certification Path in Internet Explorer
This is how the certification path of a successfully installed OrganizationSSL and its intermediates will look, where "www.globalsign.com" will be your common/domain name.
Note: The DomainSSL certification path will use the "GlobalSign Domain Validation CA'"in place of the "GlobalSign Organization Validation CA".
Figure Three: ExtendedSSL Certification Path in Firefox
Using Firefox to view the certificate details of a successfully installed ExtendedSSL and its intermediates shows you how the certification path will look. When using Internet Explorer 7 to view the certification path of an ExtendedSSL, you will notice that there are only three certificates opposed to the four seen here. This is because IE7 bypasses the cross certificate and chains to a different root.