A Root SSL certificate is a certificate issued by a trusted certificate authority (CA).
In the SSL ecosystem, anyone can generate a signing key and use it to sign a new certificate. However, that certificate isn’t considered valid unless it has been directly or indirectly signed by a trusted CA.
A trusted certificate authority is an entity that’s entitled to verify someone is who they say they are. In order for this model to work, all participants must agree on a set of trusted CAs. All operating systems and most web browsers ship with a set of trusted CAs.
The SSL ecosystem is based on a model of a trust relationship, also called the “chain of trust”. When a device validates a certificate, it compares the certificate issuer with the list of trusted CAs. If a match isn’t found, the client checks to see if the certificate of the issuing CA was issued by a trusted CA, and continues until the end of the certificate chain. The top of the chain, the root certificate, must be issued by a trusted Certificate Authority.
The list of trusted CAs is critical, because it determines the security level of an entire system.
FAQs
A root certificate is a type of digital certificate that is self-signed and used to verify the identity of the root certificate authority (Root CA) in a chain of trust. Positioned at the apex of the certificate hierarchy, it is inherently trusted by network infrastructures, browsers, and operating systems.
Is a root certificate necessary? ›
As you can see, the root certificate is the most important part of a trust chain as it is what is used to validate an end-user certificate. A root program helps manage the root certificates, and their public keys on the device in a particular location called the root store.
How do I get my root certificate? ›
Requesting the Root Certification Authority Certificate by using command line:
- Log into the Root Certification Authority server with Administrator Account.
- Go to Start > Run. Enter the text Cmd and then select Enter.
- To export the Root Certification Authority server to a new file name ca_name.cer, type: Console Copy.
The most common cause of a "certificate not trusted" error is that the certificate installation was not properly completed on the server (or servers) hosting the site. Use our SSL Certificate tester to check for this issue. In the tester, an incomplete installation shows one certificate file and a broken red chain.
Should I delete root certificates? ›
There may come a time when you need to delete a System Root certificate. This is not something you should do lightly, but, maybe a cert was installed by an update that you know is bad. Maybe a cert is expired. This isn't a huge deal, but, there's no reason for it to be there.
How do I know if my root certificate is trusted? ›
Here are the steps to do this on a Windows 10/11 computer:
- Open the Run Dialog: Press Windows key + R to open the Run dialog.
- Open MMC: Type mmc into the Run dialog and press Enter. ...
- Add the Certificates Snap-in: ...
- Access the Trusted Root Certification Authorities: ...
- Manage Certificates: ...
- Close MMC:
In cryptography and computer security, a root certificate is a public key certificate that identifies a root certificate authority (CA).
How long do root certificates last? ›
Root certificates also typically have long periods of validity, compared to intermediate certificates. They will often last for 10 or 20 years, which gives enough time to prepare for when they expire. However, there still can be hiccups in the process of switching to the new root certificate.
What happens if a root certificate is compromised? ›
Any such compromise may force revocation and reissuance of some or all of the previously issued certificates. A root compromise, such as a stolen root private key, destroys the trust of your PKI and can easily drive you to reestablish a new root and subsidiary issuing CA infrastructure.
How do I create a root certificate? ›
Select CA type
Select Root CA. In the Valid for field, enter the duration for which you want the certificates issued by the CA certificate to be valid. Optional: select a tier for the CA. Click Region and in the list, select the location where you want to create the CA.
As of 24 August 2020, 147 root certificates, representing 52 organizations, are trusted in the Mozilla Firefox web browser, 168 root certificates, representing 60 organizations, are trusted by macOS, and 255 root certificates, representing 101 organizations, are trusted by Microsoft Windows.
What are DoD root certificates? ›
The digital certificate of the root CA is self-signed, that is, the root CA authenticates its own identity. The root CA signs the digital certificates issued to subordinate CAs in its domain. The DoD root CA is the trust anchor for the DoD PKI subscribers.
What does installing a root certificate do? ›
A root certificate is necessary because it is used to verify the authenticity of other intermediate and end-entity certificates. Without a root certificate, a system is left either unprotected or unusable.
What can you do with a root certificate? ›
The root certificate is used to issue intermediate certificates, that in term make it possible to register SSL certificates for end users. These certificates inherit the trust level from the root certificate.
What is an untrusted root certificate? ›
An untrusted SSL/TLS certificate is characterized by the fact that if a site visitor enters a site where the data transmission is encrypted using this certificate, a notification is automatically displayed stating that the certificate is not issued by a verified and trusted certification authority, with a question ...
What happens when a root certificate expires? ›
When the root CA certificate expires, it would mean that operating systems will invalidate the certificate. It will affect all certificates down the hierarchy chain discussed above. It may cause service outages, website, software, and email client downtimes, bugs, and other issues.
What words use the root cert? ›
cert
- ascertain. When you ascertain the truth of something, you determine or find it out for sure.
- certain. If you are certain about something, you are sure or have no doubt about it.
- certainty. the state of being certain.
- certifiable. ...
- certificate. ...
- certification. ...
- certify. ...
- uncertain.
This is actually fairly straightforward. A Root CA is a Certificate Authority that owns one or more trusted roots. That means that they have roots in the trust stores of the major browsers. Intermediate CAs or Sub CAs are Certificate Authorities that issue off an intermediate root.
