Sophia
Hart

What Are Root Certificates? A Complete Guide to Chain of Trust & Security

Sophia Hart

Jul 17, 2026

11 min read

root certificates

TL; DR

  • Root certificates are self-signed digital certificates that serve as the foundation of trust in public key infrastructure (PKI).
  • They establish trust through a certificate chain, allowing browsers and devices to verify the identity of websites, applications, and services.
  • Compromised or mismanaged root certificates can expose organizations to risks such as fraudulent certificates, website impersonation, and man-in-the-middle attacks.
  • Organizations should adopt centralized, policy-driven certificate management to maintain secure communications, reduce administrative overhead, and support compliance.

What are root certificates?

A root certificate is a self-signed digital certificate issued by a Root Certificate Authority (Root CA) that serves as the highest level of trust in a public key infrastructure (PKI). Because it is signed with its own private key, it acts as a trust anchor and forms the foundation of the certificate trust hierarchy. Root certificates are stored in trusted root stores maintained by operating systems and, in some cases, browsers. When a website, application, or service presents a certificate that can be traced back to one of these trusted roots through a valid certificate chain, its identity can be verified and trusted.

Root certificates enable trust across a wide range of digital interactions, including:

  • HTTPS websites: Verify website identities before establishing encrypted connections.
  • Software signing: Confirm that applications and updates come from trusted publishers and haven’t been tampered with.
  • VPN authentication: Help establish secure and trusted remote connections.
  • Enterprise authentication: Support certificate-based authentication for users, devices, and internal services.
  • Secure email: Enable email encryption and digital signatures to protect sensitive communications.

Although users rarely see them, root certificates form the foundation of digital trust, allowing devices, applications, and online services to authenticate identities and communicate securely.

Book a free demo and explore Hexnode UEM today!

Why do root certificates matter?

Root certificates make secure digital interactions possible by establishing trust before any sensitive information is exchanged. Whether you’re visiting a website, downloading software, or connecting to a corporate network, root certificates help verify that you’re communicating with a legitimate and trusted entity rather than an imposter.

They play a critical role in several everyday security processes:

  • Enable trusted web browsing: Browsers use root certificates to verify a website’s identity before establishing an encrypted HTTPS connection, helping users avoid fraudulent or spoofed websites.
  • Verify identities before encryption: Encryption is only meaningful if both parties trust each other’s identity. Root certificates validate that trust before secure communication begins.
  • Protect against impersonation attacks: By validating digital certificates against trusted Root CAs, devices and applications can detect certificates issued by untrusted or malicious sources.
  • Support trusted software distribution: Root certificates help verify digital signatures on software, updates, and drivers, ensuring they originate from legitimate publishers and have not been tampered with.

For organizations, trusted certificates help ensure secure communications, trusted device interactions, and reliable access to internal resources.

How does the certificate chain establish trust?

A root certificate alone doesn’t validate every website or application directly. Instead, trust is established through a certificate chain (also known as the chain of trust), where each certificate is cryptographically linked to the one above it.

This layered approach allows Root CAs to protect their highly sensitive private keys while delegating certificate issuance to intermediate CAs.

Understanding the chain of trust

The certificate chain consists of three key components:

  • Root certificate: The self-signed certificate at the top of the hierarchy that acts as the trust anchor.
  • Intermediate certificate: Issued by a root CA or another intermediate CA and used to issue subordinate CA or end-entity certificates.
  • Server (leaf) certificate: The certificate installed on a website, application, or service to verify its identity.
  • Trust verification: A device or browser validates each certificate in the chain until it reaches a trusted root certificate stored locally.

What happens when you visit an HTTPS website?

When you open an HTTPS website, your browser performs several certificate and connection checks before displaying its site information or security indicator.

  • The website sends its server certificate to the browser.
  • The browser verifies that the certificate was issued by a trusted Intermediate CA.
  • It follows the certificate chain to confirm that the intermediate certificate ultimately traces back to a trusted Root CA stored in the device’s trust store.
  • The browser checks additional details, such as the certificate’s validity period and whether it has been revoked.
  • If every validation succeeds, the browser establishes an encrypted HTTPS connection. If any step fails, users receive a certificate warning indicating that the site’s identity cannot be trusted.

This chain-based model enables secure authentication at internet scale while keeping highly sensitive root certificates protected from routine use.

Root certificates vs. intermediate certificates

Although both root and intermediate certificates are issued by Certificate Authorities (CAs), they serve distinct roles within the public key infrastructure (PKI). Root certificates establish trust at the highest level, while intermediate certificates extend that trust to websites, applications, and other digital services. Separating these responsibilities makes certificate management more secure and scalable.

Comparing root, intermediate, and end-entity certificates

Aspect Root Certificate Intermediate Certificate End-Entity (Leaf) Certificate
Signing Authority Self-signed Signed by a Root CA Signed by an Intermediate CA
Primary Role Trust anchor Delegates trust Identifies a website, application, or user
Typical Validity 10–25+ years 5–10 years (varies) Depends on the use case (public TLS certificates follow CA/Browser Forum limits)
Private Key Storage Offline or highly secured HSM HSM or secure signing infrastructure Server, application, cloud service, or HSM
Can Issue Certificates Issues intermediate CA certificates Issues end-entity certificates No
Risk if Compromised Entire trust hierarchy affected Certificates issued by that intermediate affected Individual certificate affected
Browser Trust Trusted directly through the root store Trusted through the root certificate Trusted through the certificate chain

Intermediate certificates improve security by keeping the Root CA’s private key offline. If an intermediate certificate is compromised, it can typically be revoked and replaced without affecting the trusted root certificate.

Where are root certificates stored?

Root certificates are stored in trust stores maintained by operating systems and, in some cases, browsers. These repositories contain the root certificates that a device or application inherently trusts, allowing it to validate websites, applications, and other digital services without requiring manual approval. While the concept is consistent across platforms, the location and management of trust stores vary.

Windows Trusted Root Store

Windows maintains a centralized Trusted Root Certification Authorities store that applications and browsers can use to validate certificates. Microsoft regularly updates this store through Windows Update to add new trusted Root CAs or remove certificates that are no longer considered trustworthy.

macOS Keychain

On macOS, trusted root certificates are stored in Keychain Access. Apple manages the system trust store and distributes updates through macOS, helping ensure devices recognize current and trusted Certificate Authorities.

Linux CA bundles

Most Linux distributions store trusted root certificates in CA bundles, though the file locations and management tools differ by distribution. System administrators can update these bundles using their distribution’s package manager or certificate utilities.

Android and iOS trust stores

Android and iOS include built-in trusted root stores that are updated through their respective platform update mechanisms. Organizations can also deploy additional trusted certificates for enterprise use cases, such as internal websites, VPNs, and Wi-Fi authentication.

Keeping trust stores up to date

Trust stores evolve as Certificate Authorities are added, updated, or removed. Regular operating system updates ensure devices continue to trust legitimate certificate authorities while removing certificates that have expired or are no longer considered secure.

In enterprise environments, organizations often distribute approved certificates across corporate devices to maintain consistent trust, support certificate-based authentication, and ensure secure access to internal resources.

What happens if a root certificate is compromised?

A root certificate sits at the top of the certificate trust hierarchy, making it one of the most sensitive assets in a public key infrastructure (PKI). If its private key is compromised, attackers could potentially issue certificates that appear to be trusted by devices and applications. Although such incidents are rare due to the strict security measures used to protect Root CAs, the impact can be widespread.

Security risks

A compromised root certificate can undermine digital trust in several ways:

  • Fraudulent certificates: Attackers could create certificates that appear to have been issued by a trusted Certificate Authority.
  • Man-in-the-middle (MitM) attacks: Fake certificates may be used to intercept encrypted communications between users and legitimate services.
  • Fake software signatures: Malicious applications could be digitally signed to appear as though they originate from a trusted publisher.
  • Website impersonation: Cybercriminals could create websites that appear legitimate, increasing the risk of phishing and credential theft.

How trust is restored

When a root certificate is no longer trusted, Certificate Authorities and platform vendors take coordinated steps to protect users:

  • Certificate distrust: Platform vendors may revoke affected intermediate or end-entity certificates where applicable and remove or distrust compromised root certificates through root store updates.
  • Root store updates: Operating system and browser vendors remove, or distrust affected root certificates through security updates.
  • Vendor response: Browser and OS vendors work with Certificate Authorities to minimize disruption and restore trust.
  • Certificate replacement: New certificates are issued using trusted Root CAs, allowing affected services to re-establish secure communications.

Common certificate errors and what causes them

Certificate errors occur when a browser, operating system, or application cannot verify the authenticity of a digital certificate. While the warning may simply indicate a configuration issue, it can also point to a genuine security risk. Understanding the most common causes helps IT teams troubleshoot issues more efficiently.

  • Untrusted root certificate: The certificate chain ends at a Root CA that isn’t present in the device’s trusted root store, preventing trust validation.
  • Expired certificate: Certificates are valid only for a specific period. Once expired, browsers and applications reject them until they are renewed.
  • Missing intermediate certificate: If an intermediate certificate is absent or misconfigured, the certificate chain cannot be completed, causing validation to fail.
  • Certificate name mismatch: The domain name on the certificate doesn’t match the website or service being accessed, triggering a security warning.
  • Incorrect system date or time: An inaccurate device clock can cause valid certificates to appear expired or not yet valid.

In enterprise environments, maintaining standardized certificate configurations across managed devices helps minimize these errors, ensuring consistent trust, reliable authentication, and a smoother user experience.

Best practices for managing root certificates

Managing root certificates effectively is essential for maintaining a secure and trusted IT environment. A well-governed certificate management process reduces the risk of unauthorized trust relationships, configuration errors, and compliance issues while ensuring secure communications across devices and services.

Maintain an approved trust store

Only trusted and business-approved Root CAs should be present in your organization’s trust store. Review requests to add new root certificates carefully and remove certificates that are no longer required.

Audit trusted certificates regularly

Perform periodic audits to identify expired, unauthorized, or outdated certificates. Maintaining an up-to-date certificate inventory also helps simplify compliance reporting and security reviews.

Limit administrative access

Restrict who can install, modify, or remove trusted root certificates. Applying the principle of least privilege reduces the risk of accidental changes or unauthorized certificate installation.

Remove obsolete certificates

Certificates that are expired, revoked, or no longer needed should be removed promptly. Organizations should also monitor certificate expiration dates to avoid service disruptions caused by expired certificates.

Maintaining trusted certificates at scale with Hexnode

As organizations grow, manually deploying and managing trusted certificates across hundreds or thousands of devices becomes difficult to maintain. Centralized certificate management helps ensure devices consistently trust the right Certificate Authorities while reducing configuration errors and administrative overhead.

With Hexnode, IT administrators can:

  • Deploy trusted certificates centrally to managed devices, eliminating the need for manual installation on individual endpoints.
  • Enforce certificate-related policies consistently across corporate-owned devices to support secure authentication and trusted communications.
  • Maintain visibility into certificate deployments and device configurations to help administrators manage certificates consistently across managed devices.
  • Simplify certificate deployment and updates with centralized policies to maintain secure access to enterprise resources.

Centralized certificate management improves operational efficiency, enforces consistent security policies, reduces manual effort, and helps organizations maintain secure authentication and compliance as they scale.

hexnode uem an inside look
Featured resource

Hexnode UEM: An inside look

Discover how Hexnode helps IT admins centrally manage, secure, and streamline enterprise device management efficiently.

DOWNLOAD

FAQs

Yes, but browsers won’t trust it by default. Public websites typically use certificates issued by trusted Certificate Authorities to avoid security warnings.

Most operating systems include a trusted root store where you can view installed root certificates using built-in certificate management tools.

A public CA offers certificate services to the public, while a private CA serves a defined population. Browser and operating-system trust depends on whether the CA’s root certificate is included in or explicitly added to the relevant trust store.

Conclusion

Root certificates are the foundation of digital trust, enabling browsers, devices, and applications to verify identities before establishing secure connections. Together with intermediate and server certificates, they create the chain of trust that protects everyday digital interactions.

As organizations expand their IT environments, effective certificate management becomes increasingly important for maintaining secure communications, reducing security risks, and supporting compliance. Adopting a centralized, policy-driven approach to managing trusted certificates helps ensure consistent security while simplifying administration across enterprise devices.

Share

Sophia Hart

A storyteller for practical people. Breaks down complicated topics into steps, trade-offs, and clear next actions—without the buzzword fog. Known to replace fluff with facts, sharpen the message, and keep things readable—politely.