Why are intermediate certificate authorities required? When would an intermediate certificate be used?
Sometimes, to protect the root CA's private key, it is stored in a very secure location and only used to sign a few intermediate certificates, which then are used to issue end entity certificates. In case of compromise, the intermediates can be revoked quickly, without having to reconfigure every single machine to trust a new CA.
Another possible reason is delegation: for example, such companies as Google, which often use many certificates for their own networks, will have an intermediate CA of their own.
How do I verify the chain from the intermediate certificate to the root certificate?
Usually, the end entity (for example, a SSL/TLS web server) provides you with the entire certificate chain, and all you have to do is verify the signatures.
The last in that chain is the root certificate, which you already have marked as trusted.
For example, when you have a chain [user] → [intermed-1] → [intermed-2] → [root], the verification is like this:
Does [user] have [intermed-1] as its "Issuer"?
Does [user] have a valid signature by [intermed-1]'s key?
Does [intermed-1] have [intermed-2] as its "Issuer"?
Does [intermed-1] have a valid signature by [intermed-2]'s key?
Does [intermed-2] have [root] as its "Issuer"?
Does [intermed-2] have a valid signature by [root]'s key?
Since [root] is at the bottom of the chain and has itself as "Issuer", is it marked as trusted?
The process is exactly the same all the time; the existence and count of intermediate CAs does not matter. The user certificate can be signed by root directly, and it will be verified the same way.
What are examples of intermediate certificates that link to root certificates?
See the certificate information of https://twitter.com/ or https://www.facebook.com/ for chains containing three or four certificates. See also https://www.google.com/ for an example of Google's own certification authority.
6Would appreciate people commenting at the very least before voting to close the question. I have no idea why you would want to close it e.g. is it a duplicate, makes no sense, etc – PeanutsMonkey – 2011-10-17T22:11:33.227
11@Linker3000 - The question is not open-ended as there is clearly an answer nor is it chatty i.e. it is not intended to stir up a conversation. It is to understand how SSL chains work so that if the need arises when implementing SSL certificates it can be done so with an understanding the foundations of SSL chains. – PeanutsMonkey – 2011-10-18T00:18:48.977