Root CA, Intermediate CA, Server Certificates, and Private Keys Explained

By /

When setting up TLS for your own services, or working with certificates from a commercial Certificate Authority, you will encounter three main kinds of certificates:

  • Root CA
  • Intermediate CA
  • Server (or client) certificate

Each comes with its own private key. Understanding which certificates to distribute, which private keys to protect, and who needs what is essential to building a secure PKI.

Root CA: The Trust Anchor

  • Certificate: The Root CA (root_ca.crt) is the ultimate trust anchor.
  • Private Key: root_ca.key
    • Must be kept highly secure and offline.
    • Used only to sign intermediates.
    • Never used to directly sign server or client certificates.
  • Lifetime: Very long (10–20 years).
  • Where it goes:
    • Certificate → distributed to client trust stores.
    • Private key → kept secret, not on production servers.

Intermediate CA: The Issuer in the Middle

  • Certificate: The Intermediate CA (intermediate_ca.crt) bridges the root and your servers.
  • Private Key: intermediate_ca.key
    • Must also be kept secret.
    • Used to sign end-entity certificates (server, client, device).
    • More short-lived (1–5 years) and can be rotated or revoked if compromised.
  • Where it goes:
    • Certificate → must be served by the server together with its own certificate.
    • Private key → stored securely on the CA machine, never distributed.

Server Certificate: The Identity of the Service

  • Certificate: The Server cert (server.crt) identifies a specific domain or device.
  • Private Key: server.key
    • Must remain on the server only.
    • Never shared or transmitted.
  • Lifetime: Short (90 days – 1 year).
  • Where it goes:
    • Certificate → combined with the intermediate in a chain file and sent to clients.
    • Private key → used by the server to prove possession during TLS handshake.

Server vs Client: Who Needs What?

Server

  • Must send:
    • server.crt
    • intermediate_ca.crt
  • Must keep secret:
    • server.key

Client

  • Must trust:
    • root_ca.crt (in trust store)
  • Does not need:
    • intermediate or server private keys
  • Validates:
    • server.crt → intermediate_ca.crt → root_ca.crt

Private Key Rules of Thumb

  • Root CA private key → keep offline, only used to sign intermediates.
  • Intermediate CA private key → online if you run an issuing CA, but locked down.
  • Server private key → lives only on the server, paired with its certificate.
  • Client private key (for mTLS) → lives only on the device, paired with its client certificate.

Visual Chain of Trust with Keys

Root CA (root_ca.crt) ← self-signed
   └── Private key: offline, secret, never used directly
        |
Intermediate CA (intermediate_ca.crt)
   └── Private key: used to sign end-entity certs
        |
Server Certificate (server.crt)
   └── Private key: used by server during TLS handshake

Summary

  • Root CA → trust anchor, private key offline.
  • Intermediate CA → issues server/device certs, private key secured but active.
  • Server certificate → service identity, private key only on the server.
  • Clients → only need the root CA in their trust store. Intermediates are sent by the server as part of the chain, and clients use them for validation. Clients never need any private keys.

This separation ensures maximum security: compromise of a server or even an intermediate does not endanger the root, while trust chains remain verifiable.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top