Root certificates are at the foundation of internet security. They are critical to validating the identity of websites through SSL/TLS certificates. But how exactly do they work, and why are they so important? This article will explain everything you need to know about root certificates in plain language.
What is a Root Certificate?
A root certificate is a special digital certificate issued and digitally signed by a Certificate Authority (CA) such as SSL.com. It represents the top level of trust in a certificate hierarchy. Root certificates are sometimes called trust anchors because they are the ultimate source of verification for issued certificates.
When a CA issues a certificate to an entity like a website, it must be validated by tracing it back to a trusted root. The root certificate contains the public key needed to verify that chain of trust. Root certificates are typically self-signed, meaning their signature is generated with the certificate’s own private key.
All major web browsers and operating systems come with a pre-installed set of trusted root certificates from major certificate authorities. This allows them to seamlessly verify SSL/TLS certificates for securing websites.
Hierarchy of Trust
Root CAs are at the top of a certification hierarchy that cascades down into intermediate certificates and end-entity certificates:
-
Root certificate such as SSL.com – self-signed, represents ultimate trust.
-
-
End-entity certificates – issued to users and servers, signed by intermediates
By segregating duties, intermediate CAs can issue certificates daily without accessing the highly protected root keys. The root keys can be kept offline and are only used occasionally to generate intermediate CA certificates.
When an intermediate authority issues a digital certificate, it contains the issuing CA signature and a chain of certificates linking back to the root. This chain is followed to verify the end certificate.
Importance and Function of Root Certificates
Root certificates serve several crucial functions:
-
Trust Anchor – They are the trust anchor that establishes a chain of trust. All certificates issued by the PKI can be validated by tracing back to the root.
-
Secure Web Browsing – Enables secure HTTPS connections. Browsers verify website certificates by chaining them up to a trusted root.
-
Verify Software – Used to authenticate digitally signed software like OS updates, apps, utilities, etc. Signatures are checked against the root.
-
Encrypt Communication – Allows secure email and data transfer by enabling encryption paired with the root’s signature.
Without root certificates, there would be no centralized mechanism to establish trust for certificates and public keys. They provide the authoritative trust source underpinning public key cryptography.
Major Root Certificate Authorities
There are around 60 authorities that operate root certificate programs. Our company, SSL.com, is a leading example, acting as its root CA. We use extensive validation procedures before issuing intermediate CA certificates to domain owners who need SSL certificates. Our root keys are protected by hardware and software in secure facilities.
Major organizations like Microsoft, Apple, Mozilla, and Oracle decide which root CAs they will trust by default in their software. A CA like SSL.com must meet stringent requirements to become a trusted root authority embedded in root stores.
By acting as a root CA, we can issue trusted SSL/TLS certificates to websites and other entities without relying on an external root authority. Our root certificate serves as the trust anchor for our hierarchy.
Browsers and Root Certificates
Web browsers come preloaded with a trust store containing over 100 trusted root certificates from major CAs. This allows them to validate SSL/TLS certificates used for HTTPS websites seamlessly.
When you visit a website secured with SSL/TLS, the browser will:
-
Receive the website’s certificate and chain of intermediate certificates.
-
Validate the chain of trust back to a built-in trusted root certificate.
-
Check that the domain name matches the website certificate.
-
Display the secure lock icon and allow an encrypted connection.
It will warn the user if the browser encounters an invalid certificate, an untrusted root, or a domain name mismatch.
Browsers also have certificate management tools for viewing root CAs and making trust decisions. Chrome, Firefox, Edge, and Safari allow users to view, export, or disable root certificates.
Installing & Managing Root Certificates
Although OS and browsers come with pre-installed roots, you may need to install additional root certificates in some cases:
-
To trust your company’s private PKI certificate chain
-
If using a new or unfamiliar certificate authority
-
When troubleshooting “untrusted certificate” errors
Root certificates can be installed globally at the OS level or locally at the browser or application level. On Windows, the Certificate Manager handles trusted roots. On Mac, roots are located in Keychain Access. In Linux, they go under /etc/ssl.
When installing a new root, verifying it is valid and comes from a reputable source is important. Once installed, invalid or compromised roots can be untrusted or deleted. However, revoking trust in a major public root may cause widespread application breakage.
Expiration and Renewal of Root Certificates
Root certificates have long lifetimes of 20 years or more. But they still ultimately expire for security reasons. As roots near expiration, CAs must roll out new roots and transition users and software to trust the new keys.
Some impacts of expiring, old, or untrusted root certificates include:
-
Invalid certificate warnings in browsers
-
Broken certificate chains causing connection errors
-
Software unable to validate signature checks
Best practices for managing root expiration include:
-
Renewing root keys on a long timeframe with overlap
-
Using parallel roots and overlapping validity periods
-
Getting new roots distributed in client software updates
-
Revoking/removing old roots after the transition is complete
Proper root certificate lifecycle management is crucial to avoiding disruptions in trusted communication and software verification.
Protecting Root Certificate Keys
Due to their fundamental role in establishing trust, the private keys associated with root certificates must be extremely highly protected. Industry standards recommend:
-
Keeping keys offline in secure storage like a hardware security module (HSM)
-
Maintaining elaborate physical and software security
-
Only accessing when necessary using multi-party controls
-
Managing keys only within secure cryptographic modules
-
Deleting private keys completely when no longer required
Following strict key ceremony procedures and separation of duties for root CAs protects the PKI trust anchor from compromise.
High Assurance SSL/TLS from SSL.com’s Trusted Root
Root certificates form the foundation of trust for securing communications and transactions across the internet. They establish the chains of assurance that underpin public key infrastructure. Through anchoring certificate authority hierarchies and distributing trusted root stores, they enable the wide-scale use of SSL/TLS, code signing, device authentication, and other critical security technologies. Therefore, managing root keys and certificates is one of the most important responsibilities in the digital certificate ecosystem.
