LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What is a "chain of trust," and what are the roles of the Root CA, Intermediate CA, and End-Entity certificate?

Trust flows down a hierarchy: a Root CA signs Intermediate CAs, which sign the End-Entity (server/user) certificate — and verification walks the chain back up to the trusted root.

Level Role
Root CA the top, self-signed; its key is the trust anchor pre-installed in your device
Intermediate CA optional middle links; signed by the root, and sign other CAs or end entities (keeps the root key offline/safe)
End-Entity certificate the "leaf" — the actual server or user (e.g. www.hslu.ch)

To validate a server's cert, your client follows the certification path up the chain: leaf → intermediate → root. If it reaches a root you trust, and every signature checks out, the cert is accepted.

Tip: Roots are precious, so they're kept offline and rarely used directly — intermediates do the day-to-day signing. Compromise of a root is catastrophic; compromise of an intermediate can be revoked.

From Quiz: ISF / Intercepting & Proxy Tools | Updated: Jul 14, 2026