SSL Certificate Chain
A software/website that cannot function on its own would not be new to you. Website per-se works in tandem with the webserver. This is the backbone of its operation. The same goes for an SSL certificate. It works with some support chains. This chain is commonly known as the SSL certificate chain.
This article will provide an in-depth explanation of the SSL certificate chain and the roles of each component.
What is an SSL Certificate Chain?
A certificate chain is used to establish trust among Certificate Authorities (CAs), of a Public Key Infrastructure. The trust establishes hierarchical roles, relationships, between the root CA, intermediate CA, and Secure Sockets Layer SSL certificates.
A browser must verify a few additional details to determine the trust factor for the SSL certificate. These details are just a few of the certificates that have been verified by The SSL Certificate chain, which includes the root cert and the end browser.
Let’s dive deeper into this process. You will need to view the SSL certificate path installed on any URL to see the component of the SSL certificate.
Part of the SSL certificate chain
Differentiating between intermediate and root CAs
The root CA is the foundation of the certificate chain. The root CA certificate has the same trust level as the root CA certificate. The certificate for intermediate CA is signed by the root CA. The intermediate CA’s role is to sign the end-entity certificates of the root CA.
An intermediate CA signs the SSL certificate for domain-specific use. When an SSL connection is initiated with the server, the SSL certificate is installed on the end entity. The browser will verify the authenticity of the SSL cert by checking the certificate’s signing authority.
An intermediate CA acts as a substitute for a root CA. They use a certificate signed and authorized by the root CA. The intermediate CA is responsible for signing SSL certificates. The intermediate CAs receive their CA directly from root CA.
An X.509-based public certificate is used by the root CA to identify it. The root CA is the signatory for the SSL certificate chain. The root CA is the trusted, known source of SSL certificates.
A browser must accept SSL certificates issued by CAs that have a signed certificate from root CAs to issue them. This certificate is stored in the browser’s trusted root CAs list.
To verify that each certificate issued by an intermediate CA was issued by a trusted root CA, the browser will inspect each certificate. If the certificate of an intermediate CA was signed by another intermediate CA, the browser will check that certificate to verify if it is valid.
The process of checking each level further will continue until the root CA cert is found and verified against the browser’s trusted root CA’s.
The certificate is valid if the root CA matches the trusted root CA in your browser’s store.
Different vendors manage untrusted SSL connections in different ways. Most will notify the user that the connection is not trusted, and require them to either acknowledge the problem or refuse to allow the connection.
How the SSL Certificate Chain Works
This video will give you a deeper understanding of SSL certificate chains. This video will provide a quick overview.
An example of a simple certificate chain:
- A browser establishes an SSL connection with a domain that has an SSL certificate issued from a CAD.
- CA D is an intermediate CA. The browser won’t have a root CA certificate to D from the trusted root CAs.
- The intermediate CA C signs the certificate for D.
- The intermediate CA B signed the certificate for C.
- The intermediate CA A signs the certificate for B.
- The root CA trusted Intermediate CA A’s Certificate.
The SSL certificate presented to the browser during the initial request will be valid if the root CA is trusted and known.
Troubleshooting SSL Certificate Issues
If you don’t know what to do, SSL certificate troubleshooting may be difficult. Here is an SSL Certificate Troubleshooting Guide with solutions to the most common issues.
- Verify that your SSL certificate was issued by a trusted CA. Browsers will distrust your SSL certificate if it is not issued by a trusted CA. It would also be problematic if your certificate was self-signed.
- Did you properly install your intermediates? Although browsers may try to fill in gaps in your certificate chain, it is best to not leave anything to chance. You should ensure that intermediate certificates are also installed with your SSL certificate.
- Are you sure your server is correctly configured? Your SSL certificate and intermediates are not proof that your server is properly configured. Our installation team is happy to assist you if you need assistance installing your certificate.