These days, it may seem that having a properly installed intermediate SSL certificate is no longer needed for your website. Although browsers like Google Chrome may automatically go out and fetch the proper intermediate go-between, other browsers like Firefox may be hit or miss, and mobile browsing may cause security warnings.
Let’s break it down a bit more…
What is an Intermediate Certificate?
An intermediate SSL certificate is a subordinate cert that is signed by a trusted root certificate. It may also be signed by another intermediate certificate. This is known as a proper SSL chain linking an end-user certificate to a root certificate.
Web browsers have a large list of root certificates that they trust. These are the foundation of SSL, ensuring that issued SSL certificates are actually valid and trustworthy. However, root certificates do not sign all certificates, including intermediates. They are “higher” up the chain.
So intermediate certificates are used to sign the end-user SSL certificates in use on a website. They fall in-between the global root certificates and the end user SSL certs. They complete the digital SSL security chain.
What happens if an intermediate SSL cert is missing?
As I eluded to at the beginning of this post, it depends. Google Chrome on the desktop will go out and fetch a missing intermediate cert. Firefox will see if it has the intermediate saved from another website or session. So sometimes Firefox works, other times it outputs a security warning page.
On mobile browsing, most times a missing intermediate cert will generate a security warning. Other browsers may have issues with missing or improperly installed intermediate certificates.
The best thing to do is to make sure your SSL certificate is installed properly…
How to test that a certificate is installed correctly?
Using our Why No Padlock? service is one way to test that your SSL certificate is installed correctly. Our tests on the certificate include:
- Verify there is a valid SSL certificate
- Verify the start and end dates are current and not expired
- Verify the certificate is signed by a valid issuer (i.e. it’s not a self signed cert)
- Verify the SSL chain, including intermediate certs, are installed properly
- See what SSL Protocols are allowed (TLS 1.0, TLS, 1.1, TLS 1.2, etc…)
You can also use SSL Labs Test to more thoroughly investigate your SSL certificate itself.
As you can see, it is still important to have a properly installed SSL certificate. One missing link in the chain can cause visitors to not be able to reach your site, API features to fail, etc… Always test your certificate each time it is updated / renewed to make sure all is well.