How To Distinguish Between A Root Certificate And An Intermediate Certificate

Document ID : KB000049457
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

How can one distinguish between a Root certificate and an intermediate certificate?

Solution:

If you list the certificates, you will see a subject distinguished name (SDN) and an issuer distinguished name (IDN). If the issuer distinguished name and subject distinguished name are not the same, then the certificate is signed. If a certificate is signed, the issuer distinguished name will indicate who signed it.

An intermediate certificate is a root certificate that has been signed by another root certificate. The issuer distinguished name of the intermediate root certificate will show who signed it.

If the IDN and SDN are the same and the certificate is on the CERTAUTH acid, it is the root certificate.

If the IDN and SDN are not the same, and there is a
CERTIFICATE WAS SIGNED BY: ACID(xxx) DIGICERT(yyy)
that is the intermediate certificate.

And the CA signing certificate is the '(yyy)' in the
CERTIFICATE WAS SIGNED BY: ACID(xxx) DIGICERT(yyy).

The root certificate is not signed. If it was signed, then it would be an intermediate root. A root certificate is self signed, in other words, not signed by another certificate. The root is the end of the certificate chain. Just like a metal chain, there is an end. The link at the end is the root. The rest of the links are intermediate.