X.509 Certificates (CA Hierarchy, Root vs. Intermediate, Let's Encrypt)

#The Chain of Trust: From Root to Leaf#link

A certificate is essentially a digital identity card. But why does your browser trust a certificate issued by 'DigiCert' or 'Let's Encrypt'? Because they are part of a hierarchical trust model where trust is inherited from a top-level authority.

The Root CA: The Anchor of Trust

At the top of the pyramid is the Root Certificate Authority (CA). A Root CA certificate is 'self-signed'. The only reason we trust it is that the certificate is pre-installed in our operating system's 'Trust Store' (e.g., Windows Root Store, Mozilla Root Store). If you manually add a Root CA to your device, you are telling the OS: 'Trust everything this entity signs'.

The output shows a chain. The site certificate (leaf) was signed by an intermediate/root authority. The browser follows this chain upward until it hits a Root it already knows and trusts.

Intermediate CAs: The Buffer Zone

Root CAs create Intermediate CAs to perform the day-to-day signing of certificates. This is a security measure: if an Intermediate CA is compromised, the Root CA can simply revoke that intermediate without having to replace the Root certificate in every computer on earth.

# Command to bundle leaf and intermediate certs into a full chain
cat certificate.crt intermediate.crt root.crt > fullchain.pem

The Let's Encrypt Revolution (ACME)

Traditionally, getting a certificate required manual identity verification and paying a fee. Let's Encrypt automated this using the ACME (Automated Certificate Management Environment) protocol. Instead of verifying legal documents, ACME verifies 'Control of Domain' through a DNS record or a file on the web server.

• ▪Automated issuance via Certbot
• ▪Short expiration (90 days) to force rotation
• ▪Free of charge for all users
• ▪Transparency via public CT logs