What are Comodo Root and Intermediate Certificates?

Understanding the parts of the Comodo Certificate Chain

In order to be trusted, every SSL certificate must chain back to a trusted root. This is called the certificate chain and it’s crucial to your SSL certificate working correctly. This usually means downloading & installing the Comodo intermediate certificate at the same time you install SSL. You usually don’t need to install the Comodo root certificate.

The Chain of Trust

This screenshot shows how the certificate on this website chains back to the Comodo Root & Intermediate certificates.

• Comodo Root Certificate. Every browser has a root store, a database of pre-downloaded root certificates from trusted Certificate Authorities, including Comodo.
• Comodo Intermediate Certificate. An intermediate root serves as a link in the chain of trust, helping SSL certificates to chain back to roots.
• Your Comodo SSL Certificate. This is the certificate that actually secures your website. All SSL certificates must chain back to a trusted root in order to be validated by the user’s web browser.

Why so many Intermediates?

A trusted root is an extremely valuable entity, so valuable that most CAs refuse to issue directly from one. Rather, the CAs create intermediate roots for their own use, or to be leased out to other CAs. Because of this model, it’s rather common during the SSL installation process that you may be asked to install an intermediate certificate, or an intermediate bundle (a group of intermediate certificates) to help fill out the certificate chain.

Download & Install the Comodo Intermediate Certificate

Installing an intermediate certificate is simple and is typically accomplished in the same way you would install in any other SSL certificate. For instructions on how to download and install a Comodo Intermediate, follow the link below.

Download the Comodo Intermediate Certificate

Downloading/Installing the Comodo Root Certificate

It’s fairly uncommon that you would need to install a Comodo root certificate. Comodo is a universally trusted Certificate Authority whose roots are included in all major trust stores. However, if you’re creating your own CA for internal purposes, you may wish to add a custom root to your browser’s root store. We have instructions on this if needed.

UH-OH! My Root Certificate is SHA-1!

While SHA-1 has been sunsetted as a hashing algorithm for public-facing SSL certificates, there are still some legacy roots that make use of SHA-1. This is not a problem, nor will it result in an vulnerability for you or your site. If you’d like to avoid SHA-1 completely, please select Full SHA-2 when ordering your certificate.