Dedicated Intermediate CAs

Branded intermediates, roots, and hierarchies hosted and maintained by GlobalSign

Request a Quote

Control your chain of trust without managing PKI in-house

Dedicated intermediate CAs (ICAs), sometimes referred to as subordinate or issuing CAs, are used to issue end-entity certificates exclusively for one specific company.  Having your own ICA or hierarchy gives you greater control over the chain of trust in your ecosystem, allowing you to only trust certificates issued from your trust model.

These CA hierarchies can be public or private trust and are branded to the customer, but they are hosted and managed by GlobalSign in our Web-Trust audited, secure data centers. Relying on GlobalSign to host your ICAs and roots ensures all CA components are properly protected and configured in line with the latest industry best practices - eliminating the cost and resource burden on internal teams to manage PKI. Note: In some rare cases (e.g., SSL inspection/decryption), the intermediate is hosted by the customer.

How It Works

GlobalSign supports both public trust customer-specific ICAs and private trust customer-specific hierarchies. Below are very simple examples of the many configurations we can support. With the exception of a few scenarios, all roots and ICAs are hosted and maintained by GlobalSign.


Reasons for Using a Dedicated CA or Root

Below are a few of the most common reasons a company would want their own intermediate CA or private hierarchy. This list is not exhaustive and we can support a variety of hierarchy and trust options. Contact us with specific questions.

Client Authentication

Certificate-based client authentication often validates certificates based on an intermediate CA. By having an exclusive subordinate CA, you can limit who has certificates that grant access to a system. These use cases generally use private trust hierarchies.

SSL/TLS Inspection/Decryption

In order for an SSL inspection appliance to decrypt and re-encrypt content, it must be able to issue certificates as needed. This means it needs its own subordinate CA and it cannot be publicly trusted. For this use case, GlobalSign hosts the root, and the ICA is hosted on the customer's inspection appliance.

Custom Profiles

You can configure a subordinate CA to meet your specific needs regarding extended key usage, certificate policy, CRL distribution, short-lived certificates and more.


For companies that offer certificates to their end customers or bundle them into their services, having a dedicated subordinate CA in their name can offer some additional branding opportunities.

Special Use Case Certificates

Certificates issued under private hierarchies can support legacy application and unique configurations, such as longer validity periods and smaller key sizes, that are not permitted in publicly trusted certificates per CA/Browser Forum Baseline Requirements. Note: if you only need private SSL/TLS, but not your own intermediate, we offer this through our IntranetSSL product.

Request an Intermediate CA Quote

By requesting a quote, a GlobalSign Product Specialist will contact you.

Request an Intermediate CA Quote

By requesting a quote, a GlobalSign Product Specialist will contact you.