|
|
(One intermediate revision by the same user not shown) |
Line 1: |
Line 1: |
− | | + | =[[Options for SSL Certificates to Secure Your Website]]= |
− | =SSL Certificate Chain= | + | =[[SSL Certificate Chain]]= |
− | There are two types of certificate authorities (CAs): root CAs and intermediate CAs. In order for an SSL certificate to be trusted, that certificate must have been issued by a CA that is included in the trusted store of the device that is connecting.
| |
− | | |
− | If the certificate was not issued by a trusted CA, the connecting device (eg. a web browser) will then check to see if the certificate of the issuing CA was issued by a trusted CA, and so on until either a trusted CA is found (at which point a trusted, secure connection will be established) or no trusted CA can be found (at which point the device will usually display an error).
| |
− | | |
− | The list of SSL certificates, from the root certificate to the end-user certificate, represents the SSL certificate chain.
| |
− | | |
− | https://d33wubrfki0l68.cloudfront.net/67d491036d6e40015f275fc78daa1de4b9ab6d71/b2364/files/dnsimple-ssl-chain-robowhois.png
| |
− | | |
− | ==Example of an SSL Certificate chain== | |
− | | |
− | Here’s a practical example. Let’s suppose that you purchase a certificate from the Awesome Authority for the domain example.awesome.
| |
− | | |
− | Awesome Authority is not a root certificate authority. In other words, its certificate is not directly embedded in your web browser and therefore it can’t be explicitly trusted.
| |
− | | |
− | * Awesome Authority utilizes a certificate issued by Intermediate Awesome CA Alpha.
| |
− | * Intermediate Awesome CA Alpha utilizes a certificate issued by Intermediate Awesome CA Beta.
| |
− | * Intermediate Awesome CA Beta utilizes a certificate issued by Intermediate Awesome CA Gamma.
| |
− | * Intermediate Awesome CA Gamma utilizes a certificate issued by The King of Awesomeness.
| |
− | * The King of Awesomeness is a Root CA. Its certificate is directly embedded in your web browser, therefore it can be explicitly trusted.
| |
− | | |
− | In our example, the SSL certificate chain is represented by 6 certificates:
| |
− | | |
− | * End-user Certificate - Issued to: example.com; Issued By: Awesome Authority
| |
− | * Intermediate Certificate 1 - Issued to: Awesome Authority; Issued By: Intermediate Awesome CA Alpha
| |
− | * Intermediate Certificate 2 - Issued to: Intermediate Awesome CA Alpha; Issued By: Intermediate Awesome CA Beta
| |
− | * Intermediate Certificate 3 - Issued to: Intermediate Awesome CA Beta; Issued By: Intermediate Awesome CA Gamma
| |
− | * Intermediate Certificate 4 - Issued to: Intermediate Awesome CA Gamma; Issued By: The King of Awesomeness
| |
− | * Root certificate - Issued by and to: The King of Awesomeness
| |