SSL Certificate Chain

You ‘d be familiar with a programme / website that can’t function independently. Website per-se operates in tandem with web server, which for its purpose is a backbone. The same also holds true for SSL certificates. Yes it works with some chain support. Generally this chain is known as the chain of SSL certificates.

Here I will direct you in-depth on the chain of SSL certificates and what the function of each part within that chain is.

What is SSL Certificate Chain?

A certificate chain acts to create a Public Key Infrastructure ( PKI) trust between the Certificate Authorities (CAs). The Trust defines the hierarchical roles and relationships between the certificates of root CA, intermediate CA, and Stable Sockets Layer (SSL).

In fact , in order to define the SSL certificate trust factor, a browser needs to verify only a few more details. These information are only a few more certificates checked by This list of SSL Certificates from the root certificate to the end browser reflects the chain of SSL Certificates.

Let us look into this process more deeply. You need to see the certificate path of SSL installed on any URL to see the feature inside SSL certificate.

Component of SSL certificate chain

  • URL certificate
  • Intermediate certificate and
  • Root certificate

Differentiating root and intermediate CAs

The root CA form the basis of the chain of certificates. Root CA certificates bear the same trust level as root CA certificates. The root CA signs the intermediate CA Stamp. The middle CA ‘s function is to sign end-entity certificates for the root CA.

SSL Certificate

An intermediate CA signs the SSL certificate for use as a domain-specific certificate. The SSL certificate is installed on a server enabled by SSL (end-entity) and the certificate is provided to the browser when an SSL connexion is initiated with the server. By verifying the certificate’s signing authority the browser may attempt to validate the validity of the SSL certificate.

CA Intermediate

The intermediate CA is a deputy to a particular root CA, and uses a root CA signed stamp. The intermediate CA is the SSL certificate-signer. The intermediate CAs obtain their CA directly from the root CA that signs.

Root CA

The root CA uses a public key certificate, based on X.509, which explicitly identifies the root CA. The root CA is the authority to sign for the chain of SSL certificates. Browser vendors have a list of known, trustworthy root CAs which will eventually decide an SSL certificate ‘s validity.

For a browser to accept an SSL certificate, a CA which has a signed certificate from a root CA must issue the certificate. That’s included in the established, trusted root CAs store on browser.

The browser will inspect the certificate of each intermediate CA to decide whether it was issued by a recognised, trusted root CA. In the event that the intermediate CA certificate has been signed by any other intermediate CA, the web browser can then check if the certificate from that intermediate CA is a trustworthy root CA.

This chain of deeper level checks will continue until the root CA certificate is found and checked against the trusted root CA store on the server.

When the root CA in the browser store matches a known and trusted root CA the certificate is recognised as legitimate.

Different vendors handle untrusted SSL connexions in various ways, most would alert that the link is distrusted, forcing the user to accept the difference or not allowing the link to be created altogether.

How SSL Certificate Chain Works

For a better understanding of the SSL chain of certificates I have a video for you. Look for fast understanding of this.

Easy Definition of Chain Certificates:

  • A browser initiates an SSL connexion to a domain that holds a CA D issued SSL certificate.
  • CA D is an intermediate CA; thus, in the list of documented, trusted root CAs the browser will not have a root CA certificate for D.
  • The Intermediate CA C signs the certificate for D.
  • The intermediate CA B has signed the Certificate for C.
  • The intermediate CA A signs the Certificate for B.
  • The root CA had trusted the certificate of intermediate CA A.

If the root CA is a recognised, trusted CA, then the SSL certificate given in the initial request to the browser is deemed legitimate.

Troubleshooting SSL Certificate Chain Issues

SSL certificate troubleshooting can also be extremely challenging if you are not familiar with procedures. Having said that, here’s a troubleshooting guide for SSL Certificate with most common error solution.

  • Check if a trustworthy CA issues your SSL Certificate? Otherwise browsers would mistrust your SSL Certificate. Also there would be a concern if you signed your certificate on your own.
  • Have you mounted your midwayers properly? Although browsers are trying to fill the holes in the chain of the certificates, you don’t want to leave it to chance. Check to instal all intermediate certificates along with your SSL certificate.
  • Is your server setup correct? Only because you have your SSL licence, and any intermediates do not mean you have properly configured your server. If you have trouble installing your certificate, our installation team will be pleased to help.