Quiz Entry - updated: 2026.07.14
What is a "chain of trust," and what are the roles of the Root CA, Intermediate CA, and End-Entity certificate?
Trust flows down a hierarchy: a Root CA signs Intermediate CAs, which sign the End-Entity (server/user) certificate — and verification walks the chain back up to the trusted root.
| Level | Role |
|---|---|
| Root CA | the top, self-signed; its key is the trust anchor pre-installed in your device |
| Intermediate CA | optional middle links; signed by the root, and sign other CAs or end entities (keeps the root key offline/safe) |
| End-Entity certificate | the "leaf" — the actual server or user (e.g. www.hslu.ch) |
To validate a server's cert, your client follows the certification path up the chain: leaf → intermediate → root. If it reaches a root you trust, and every signature checks out, the cert is accepted.
Tip: Roots are precious, so they're kept offline and rarely used directly — intermediates do the day-to-day signing. Compromise of a root is catastrophic; compromise of an intermediate can be revoked.