Why is it more secure to use intermediate CA certificates?

Yes, the number of compromised certificates are much larger with Root Certificate compromise. But it's not just the number certificates. Getting a new root certificates deployed due to compromised root is massively more difficult than replacing the certificates whose intermediates are compromised.

For starters, replacing Root Certificate of a public CA, even in normal scenario, involves lots of paperwork and audits. In the scenario of a compromised root, the CA need to convince software vendors (browsers and OS) to readd their new Root Certificate to the default trust store. In the fall out of a leak, the CA pretty much lost all the trust that had been built over the years, and vendors would rightly be skeptical about the capability of the CA and the viability of the CA's business going forward. At the very least, vendors would demand reauditing and lots of additional paperworks before allowing the new Root Certificate Authority.

Vendors then would need to deploy the new trusted Certificate. This is extremely hard to do in a short time. People don't upgrade their browser often enough. Some softwares like browsers have mechanism to quickly broadcasts revoked root certificates, and some software vendors have processes to rush release when a critical security vulnerability is found in their product, however you could be almost sure that they would not necessarily consider adding a new Root to warrant a rush update. Nor would people rush to update their software to get the new Root.

These are in addition to having to resign and reissue the certificates.

There were a number of Intermediate certificate compromises (e.g. Comodo) where the CA quickly handled the situation and leave without any major consequences. The closest we have ever got to root certificates compromise of a public CA, is DigiNotar. DigiNotar went bankrupt in the following weeks after the compromise was made public.


Is that correct? Is there another benefit?

An offline Root CA sacrifices convenience to gain security.

But, anyway, CA must issue new Intermediate CA certificates and revoke the old ones... so the only benefit that I can find is that CA issue different Intermediate certificate for different purposes.

Yes, in case of a compromised Intermediate, the Root CA must be used to revoke old and issue new certs... however, as you note, we're assuming

the Root CA is offline

so, unlike an Intermediate CA, you can't simply connect over the network, submit the CSR, and get the certificate back. "Offline" in this context usually means "air-gapped." Someone needs to pack the CSR for the new Intermediate onto a USB disk, walk to the server room, sit at the keyboard in front of the Root CA, and perform the operation locally. The new certificate needs to be put on the USB disk and carried back out, then connected to a networked system to allow it to be uploaded to the Intermediate CA.

Doing that when Intermediate certs need updating is not difficult. Doing it in any volume becomes impractical, which is why Root CAs generally don't sign individual certificates.

From that point on, the Intermediate CA begins signing certificate requests, but in online mode - network connections transmit the CSRs, and network connections distribute the certs.

So the difference is that the Intermediate CA is online for fast, convenient servicing of requests. The Root CA is offline for slow, awkward, but more secure servicing of requests. The use of multiple Intermediate CAs allows the "risk" of having the authority online and accessible to be divided into different sets of certificates; the eggs are spread into different baskets.


So the "universe" of compromised certificates is smaller that if Root CA would have signed all of the certificates.

Sure, you could put it that way. But until the intermediate CA has it's certificate revoked (and even after that, it could still be problematic), it could continue to create bad certificates that users will trust. Because revocation isn't great, it probably weakens some of your assumptions about certificate security (this related question is specifically about offline CA revocation)

Also consider this -- with just one root CA, there's just one private key that needs to be protected well. With many intermediate CAs, there are many, many more keys that need to be protected. Then, it's only really as secure as the weakest link.

This makes it difficult to say that having intermediate CAs is more secure.