Root and Intermediate Certificates
The Root and Intermediate Certificates section enables organizations to manage trust anchors and certificate chains within CERTInext. These certificates form the foundation of trust for both public and private PKI environments and are essential for validating issued end-entity certificates.
CERTInext allows administrators to upload, store, view, and manage Root and Intermediate certificates to ensure complete trust chain visibility across discovery, provisioning, and validation workflows.
Purpose
Managing Root and Intermediate certificates enables:
Establishing trust for Private CA hierarchies
Maintaining full certificate chain visibility
Supporting validation during provisioning and renewal
Enabling internal trust store distribution
Simplifying troubleshooting of chain-related errors
Without proper chain configuration, deployed certificates may fail validation even if successfully issued.
Navigation
Certificates → Certificate Authorities → Root / Intermediate Certificates (or via CA management sections where trust chain components are maintained)
Root Certificates
A Root Certificate is the top-level trust anchor in a PKI hierarchy. It is self-signed and used to sign Intermediate CAs.
Key characteristics:
Self-signed certificate
Highest level of trust
Used to establish chain validation
Typically stored securely and rarely rotated
In CERTInext, administrators can:
Upload Root certificates
View certificate metadata
Associate roots with Private CA hierarchies
Validate trust relationships
Intermediate Certificates
An Intermediate Certificate (Subordinate CA) is signed by a Root CA and is responsible for issuing end-entity certificates.
Key characteristics:
Signed by a Root CA
Issues leaf/end-entity certificates
Supports hierarchical trust models
May be multiple levels deep
In CERTInext, administrators can:
Upload intermediate certificates
Map intermediates to corresponding Roots
Maintain certificate chain order
Use intermediates during provisioning workflows
Uploading Certificates
When adding a Root or Intermediate certificate, administrators typically provide:
Certificate file (.cer, .crt, .pem)
Optional chain bundle (if applicable)
Logical name for identification
After upload:
CERTInext parses certificate details
Displays issuer, subject, validity, and thumbprint
Validates chain relationships (if applicable)
Certificate Chain Validation
CERTInext uses stored Root and Intermediate certificates to:
Validate discovered certificates
Verify provisioning outputs
Detect incomplete or broken chains
Identify trust mismatches
If a chain is incomplete:
The certificate may appear as untrusted
Deployment validation may fail
Applications may show browser or service warnings
Maintaining updated chain components ensures smooth lifecycle automation.
Trust Store Considerations
For Private PKI environments:
Root certificates must be distributed to client trust stores
Intermediate certificates must be properly installed on servers
Chain order must follow Root → Intermediate → End-Entity
CERTInext supports visibility and lifecycle tracking but trust distribution to endpoints may require additional deployment workflows.
Important Note
Root certificates typically have long validity periods
Intermediate certificates may require periodic renewal
Replacing an intermediate requires updating associated certificate chains
Removing a Root may impact validation of multiple certificates
Changes to Root or Intermediate certificates should be carefully planned and tested.
Security Best Practices
Protect Root private keys in offline or HSM environments
Limit access to Root certificate management
Regularly audit intermediate CA validity
Avoid unnecessary duplication of trust anchors
Maintain documented CA hierarchy diagrams
Last updated