Difference between revisions of "SSL Certificate Chain"

(Created page with " =SSL Certificate Chain= There are two types of certificate authorities (CAs): root CAs and intermediate CAs. In order for an SSL certificate to be trusted, that certificate m...")
 
(No difference)

Latest revision as of 05:48, 4 April 2020

SSL Certificate Chain

There are two types of certificate authorities (CAs): root CAs and intermediate CAs. In order for an SSL certificate to be trusted, that certificate must have been issued by a CA that is included in the trusted store of the device that is connecting.

If the certificate was not issued by a trusted CA, the connecting device (eg. a web browser) will then check to see if the certificate of the issuing CA was issued by a trusted CA, and so on until either a trusted CA is found (at which point a trusted, secure connection will be established) or no trusted CA can be found (at which point the device will usually display an error).

The list of SSL certificates, from the root certificate to the end-user certificate, represents the SSL certificate chain.

dnsimple-ssl-chain-robowhois.png

Example of an SSL Certificate chain

Here’s a practical example. Let’s suppose that you purchase a certificate from the Awesome Authority for the domain example.awesome.

Awesome Authority is not a root certificate authority. In other words, its certificate is not directly embedded in your web browser and therefore it can’t be explicitly trusted.

  • Awesome Authority utilizes a certificate issued by Intermediate Awesome CA Alpha.
  • Intermediate Awesome CA Alpha utilizes a certificate issued by Intermediate Awesome CA Beta.
  • Intermediate Awesome CA Beta utilizes a certificate issued by Intermediate Awesome CA Gamma.
  • Intermediate Awesome CA Gamma utilizes a certificate issued by The King of Awesomeness.
  • The King of Awesomeness is a Root CA. Its certificate is directly embedded in your web browser, therefore it can be explicitly trusted.

In our example, the SSL certificate chain is represented by 6 certificates:

  • End-user Certificate - Issued to: example.com; Issued By: Awesome Authority
  • Intermediate Certificate 1 - Issued to: Awesome Authority; Issued By: Intermediate Awesome CA Alpha
  • Intermediate Certificate 2 - Issued to: Intermediate Awesome CA Alpha; Issued By: Intermediate Awesome CA Beta
  • Intermediate Certificate 3 - Issued to: Intermediate Awesome CA Beta; Issued By: Intermediate Awesome CA Gamma
  • Intermediate Certificate 4 - Issued to: Intermediate Awesome CA Gamma; Issued By: The King of Awesomeness
  • Root certificate - Issued by and to: The King of Awesomeness