Root certificates are one of the pillars of internet security. They are the basis of validating the identity of websites through SSL/TLS certificates, providing digital signatures, and more. But how exactly do they work, and why are they so important? This article will explain everything you need to know about root certificates.
What is a Root Certificate?
A root certificate is a special digital certificate issued and digitally signed by a Certificate Authority (CA) such as SSL.com. It represents the top level of trust in a certificate hierarchy. Root certificates are sometimes called trust anchors because they are the ultimate source of verification for issued certificates.
When a CA issues a certificate to an entity like a website, it must be validated by tracing it back to a trusted root. The root certificate contains the public key needed to verify that chain of trust. Root certificates are typically self-signed, meaning their signature is generated with the certificate’s own private key.
All major web browsers and operating systems come with a pre-installed set of trusted root certificates from major certificate authorities. This allows them to automatically verify SSL/TLS certificates used for securing and identifying webservers after which the browser displays that certificate is trusted and the webserver is secured. Similarly, Adobe maintains a trust store of roots that are trusted for digital signatures and Microsoft maintains a trust store of roots that are trusted for code signing signatures.
Hierarchy of Trust
Root CAs are at the top of a certification hierarchy that cascades down into intermediate certificates and end-entity certificates:
- Root certificates such as SSL.com’s – self-signed root, represent ultimate trust.
- Intermediate certificates – signed by the root CA.
- End-entity certificates – issued to users and servers, signed by intermediates
By segregating duties, intermediate CAs, also known as “issuing CAs” can issue certificates daily without accessing the highly protected root keys. The root keys can be kept offline and are only used occasionally to generate intermediate CAs and other specialty certificates, like time stamping or CRLs.
When an intermediate authority issues a digital certificate, it contains the issuing CA signature and a chain of certificates linking back to the root. This chain is followed to verify the end certificate.
Importance and Function of Root Certificates
Root certificates serve several crucial functions:
- Trust Anchor – They are the trust anchor that establishes a chain of trust. All certificates issued by the PKI can be validated by tracing back to the Root.
- Secure Web Browsing – Enables secure HTTPS connections. Browsers verify website certificates by chaining them up to a trusted Root.
- Verify Software – Used to authenticate digitally signed software like OS updates, apps, utilities, etc. Signatures are checked against the Root.
- Encrypt Communication – Allows secure email and data transfer by enabling encryption paired with the root’s signature.
- Without Root certificates, there would be no centralized mechanism to establish trust for certificates and public keys. They provide the authoritative trust source underpinning public key cryptography.
Major Root Certificate Authorities
There are around 60 authorities that operate Publicly Trusted Root certificate programs. SSL.com, is a leading example, acting as a Root CA. We use extensive validation procedures before issuing intermediate CA certificates to domain owners who need SSL certificates. Our root keys are protected by hardware and software in secure facilities.
Major organizations like Microsoft, Apple, Mozilla, and Oracle decide which Root CAs they will trust by default in their software. Similarly, Adobe has a trust store of roots trusted to issue document signing certificates whose signatures are recognized by Adobe readers as valid. In addition to their browser software, Microsoft also maintains a trust store of roots whose code signing certificates are trusted. A CA like SSL.com must meet stringent requirements to become a Publicly Trusted Certification Authority embedded in root stores. By acting as a Root CA, we can issue Trusted certificates without relying on an external root authority. Our root certificate serves as the trust anchor for our hierarchy.
Browsers and Root Certificates
Web browsers come preloaded with a trust store containing over 100 trusted root certificates from major CAs. This allows them to validate SSL/TLS certificates used for HTTPS websites seamlessly.
When you visit a website secured with SSL/TLS, the browser will:
- Receive the website’s certificate and chain of intermediate certificates.
- Validate the chain of trust back to a built-in trusted root certificate.
- Check that the domain name matches the website certificate.
- Display the secure lock icon and allow an encrypted connection.
It will warn the user if the browser encounters an invalid certificate, an untrusted root, or a domain name mismatch.
Browsers also have certificate management tools for viewing Root CAs and making trust decisions. Chrome, Firefox, Edge, and Safari allow users to view, export, or disable root certificates.
Installing & Managing Root Certificates
Although OS and browsers come with pre-installed roots, you may need to install additional root certificates in some cases:
- To trust your company’s private PKI certificate chain
- If using a new or unfamiliar certificate authority
- When troubleshooting “untrusted certificate” errors
Root certificates can be installed globally at the OS level or locally at the browser or application level. On Windows, the Certificate Manager handles trusted roots. On Mac, roots are located in Keychain Access. In Linux, they go under /etc/ssl. SSL.com provides its root and intermediate certificates for download on our website.
When installing a new root, verifying it is valid and comes from a reputable source is important. Once installed, invalid or compromised roots can be untrusted or deleted. However, revoking trust in a major public root may cause widespread application breakage.
Expiration and Renewal of Root Certificates
Root certificates have long lifetimes of 20 years or more. But they still ultimately expire for security reasons. As roots near expiration, CAs must roll out new roots and transition users and software to trust the new keys.
Some impacts of expiring, old, or untrusted root certificates include:
- Invalid certificate warnings in browsers
- Broken certificate chains causing connection errors
- Software unable to validate signature checks
Best practices for managing root expiration include:
- Renewing root keys on a long timeframe with overlap
- Using parallel roots and overlapping validity periods
- Getting new roots distributed in client software updates
- Revoking/removing old roots after the transition is complete
Proper root certificate lifecycle management is crucial to avoiding disruptions in trusted communication and software verification.
Protecting Root Certificate Keys
Due to their fundamental role in establishing trust, the private keys associated with root certificates must be extremely highly protected. Industry standards recommend:
- Keeping keys offline in secure storage like a hardware security module (HSM)
- Maintaining elaborate physical and software security
- Only accessing when necessary, using multi-party controls
- Managing keys only within secure cryptographic modules
- Deleting private keys completely when no longer required
Following strict key ceremony procedures and separation of duties for root CAs protects the PKI trust anchor from compromise.