Hello Mohammad
In the lesson here, the root CA is used to sign certificates. However, in a production network this is not best practice. In order to maintain a hierarchy, and more easily manage certificates, intermediate CAs are used. How do they work?
Well, the root CAs issue intermediate CAs, which can be used to sign certificates. This adds layers of security and helps to minimize problems in the event of an incorrect issuing of a certificate. In such a case, rather than revoking the root certificate, and every certificate issued, you only need to revoke the certificates issued by the intermediate CA.
The root CA signs the intermediate root with its private key, which makes it trusted. Then the CA uses the intermediate certificate’s private key to sign and issue certificates. That’s OK because the root CA has trusted the intermediate CA to do this. You may have several intermediate root CAs that create a certificate change that leads back to the root CA. It may look like this:
Root CA → Intermediate CA 1 → Intermediate CA 2 → Intermediate CA 3 → Certificate
Since trust is established at each step, the certificate is considered valid and can be traced back to the root.
Both scenarios would work, however the second may be somewhat more secure. If it contacts the CA server if this certificate is trusted, it will ensure that it is still currently valid.
I hope this has been helpful!
Laz