Explaining the Chain of Trust
A certificate chain is a list of certificates (usually starting with an end-entity certificate) followed by one or more CA certificates (usually the last one being a self-signed certificate), with the following properties: The issuer of each certificate (except the last one) matches the subject of the next certificate . Mar 01, · A certificate chain is an ordered list of certificates, containing an SSL/TLS Certificate and Certificate Authority (CA) Certificates, that enable the receiver .
It continues checking until either a trusted CA is found at which point a trusted, secure connection will be establishedor no trusted CA can be found at which point the device will usually display an error. The list of SSL certificates, from the root certificate to the end-user certificate, represents the SSL certificate chain.
As an example, suppose you purchase a certificate from the Awesome Authority for the domain example. Certificate 1, the one you purchase from the CA, is your end-user certificate.
Certificates 2 to 5 are intermediate certificates. Certificate 6, the one at the top of the chain or at the end, depending on how you read the chainis the root certificate. When you install your end-user certificate for example.
The how to check video card drivers certificate is usually embedded in your connected device. In the case of web browsers, root certificates are packaged with the browser software. The procedure to install the Intermediate SSL certificates depends on the web server and the environment where you install the certificate.
We provide a certificate installation wizard which contains installation instructions for several servers and platforms. If you purchase a certificate with us you can use this wizard to obtain and install the files you need for your server. That means you create a gap between a specific end-user or intermediate certificate and its issuer.
The only way to shorten a chain is to promote an intermediate certificate to root. Ideally, you should promote the certificate that represents your Certificate Authority what is a certificate chain that way the chain will consist of just two certificates.
Root certificates are packaged with the browser software. The list can only be altered by the browser maintainers. What not to eat after surgery chinese of an SSL Certificate chain As an example, suppose you purchase a certificate from the Awesome Authority for the domain example.
Its certificate is directly embedded in your web browser, therefore it can be explicitly trusted. In our example, the SSL certificate chain is represented by 6 certificates: End-user Certificate - Issued to: example. How can I shorten the SSL certificate chain in my browser?
What Is an SSL Certificate Chain?
Certificate chain (or Chain of Trust) is made up of a list of certificates that start from a server’s certificate and terminate with the root certificate. If your server’s certificate is to be trusted, its signature has to be traceable back to its root CA. What is the SSL Certificate Chain? There are two types of certificate authorities (CAs): root CAs and intermediate CAs. For an SSL certificate to be trusted, that certificate must have been issued by a CA that’s included in the trusted store of the device that’s connecting. A certificate chain consists of all the certificates needed to certify the subject identified by the end certificate. In practice this includes the end certificate, the certificates of intermediate CAs, and the certificate of a root CA trusted by all parties in the chain.
This chain is integral to the larger public key infrastructure that makes secure online communications possible over the insecure internet. But what exactly is the certificate chain and why is it so important to establishing trust? The chain of certificates includes a root certificate, one or more intermediate certificates, and the server leaf certificate.
The screenshot attached below will give you an idea about what you will see. For example, here on SectigoStore. The other two types of certificates in the chain are what help to establish trust for those server certificates. SSL certificates are issued by a reputable and trusted third party known as a certificate authority , certification authority, or CA for short. However, the CA does not issue the certificates directly to the websites. To understand how these certificates work together, imagine a tree.
A tree has roots, a trunk and its corresponding branches, and the leaves. A certificate chain is not that different from a tree in terms of its structure. As with a tree, the root certificate is the foundation upon which all other certificates are based. And just like how a tree has many branches, there can be more than one intermediate certificate that a CA issues from a single root certificate.
The same analogy applies to the leaves that represent the server certificates. So, click on the Certificate option and you will see a window pop up like the one in the image below:. Now, we come to the next part, which is the certificate path. This is the most important part of the certificate information article in the context of this article. Since the leaf certificate branches from the intermediate, and the intermediate from the root, imagine that the tree you pictured earlier is upside down.
In the screenshot above, basically, the roots of the tree are at the top and the leaves are on the bottom. The SSL certificate chain and the details on the signing authorities can be explained in the figure below:. A root certificate, also known as the trusted root, is the certificate issued directly by the certificate authority.
Unlike the other certificates, the root certificate is self-signed by the CA. The root certificate is considered most important in the certificate chain because all the parties agree to trust the CA issuing the root certificate.
The whole chain will break down if the CA issuing the root certificate is distrusted or revoked i. To protect these certificates, particularly in cases involving certificate revocations , root CAs often use intermediate CAs to put some space between their trusted root certificates and the end server certificates.
This is how trust of the intermediate certificate is established. There can be more than one intermediate certificate, but you cannot have a certificate chain without at least one intermediate certificate. A CA issues the server certificate, also known as a leaf certificate, to the domain that the user wants to cover.
Also, a padlock will appear before your domain name in the web address bar. To do this, it will start with the server certificate and follow it back to the root certificate to establish the trust. If any of the certificates in this chain cannot be verified, the chain will be broken and the validation will fail. The browser will issue a warning about the certificate to the user.
Yeah, like that. Are you still with me? Then I can take a step further and explain to you how the chain of certificates works. If a conventional hierarchy is followed, the root CA authenticates an intermediate CA, which, in turn, signs the server certificate.
So, with that in mind, how does one use the chain of trust for verification? When a user visits your website, your server sends them its certificate. It will check a variety of information, such as:. To verify the certificate is legitimate, it needs to validate the chain of trust. Here, the browser will start from the server certificate and validate all the certificates including the root certificate.
The most common certificate chain validation process moves in reverse. If not, a warning will be issued.
Public key infrastructure is a catch-all term that describes the framework of processes, policies, and technologies that make secure encryption in public channels possible. It relies on public key cryptography, which uses complex mathematical algorithms to facilitate the encryption and decryption of messages over the internet. These algorithms are integral components of the PKI framework. The algorithms have become more complex over time as technology has developed. PKI uses key pairs to encrypt and decrypt data.
And the types of keys involved depends on the type of encryption you use. For example, symmetric encryption uses a single key to both encrypt and decrypt data. This requires the sender and recipient to have identical copies of the same key. In asymmetric encryption , on the other hand, there are two unique but mathematically related keys: a public key and a private key.
The public key, which is available to anyone, encrypts data. The private key, on the other hand, decrypts data and must be protected to keep it safe from compromise. The chain of trust is crucial for the implementation of this security protocol. Due to the tree-like structure of the chain of certificates, it is possible to establish contact with the server quickly and securely.
This is a win-win all the way around for everyone. Manage Certificates Like a Pro. Contact details collected on InfoSec Insights may be used to send you requested information, blog update notices, and for marketing purposes. Learn more Megha can usually be found reading, writing, or watching documentaries, guaranteed to bore her family.
She is a techno-freak with interests ranging from cooking to travel. A regular contributor to various web security blogs, she has earned her diploma in network-centric computing. Being a mother has taught her to speak less and write more coz who listens to moms, right?
Info missing - Please tell us where to send your free PDF! Manage your certificates like a pro. March 25, 0. March 22, 0. March 9, 0. March 8, 0. March 5, 0. February 19, 0. February 17, 0. February 9, 0. February 8, 0. February 1, 0.
October 10, 0. September 13, 0. July 20, 0. July 8, 0. May 31, 0. April 3, 0. March 15, 0. November 11, 0. November 6, 0. Latest Most commented. Search this site Close search Search for: Search. Tags asymmetric encryption authentication cryptography cyber attacks cyber awareness cybersquatting data breaches ddos email security Encryption errors ethical hacking hacking Hashing how to HSTS internet privacy internet safety IoT Security malware mobile security OSI OWASP top 10 vulnerabilities passwordless authentication PCI DSS phishing pki privacy public key encryption ransomware Small Business SMB SSL offloading statistics steganography symmetric encryption threats Tips types of encryption types of hackers web application security website security white hat hacker wordpress wordpress security.
The SSL certificate chain consists of multiple certificates and helps to establish trust with browsers and clients. An illustration of the certificate chain in the form of a tree. About the author Megha Thakkar Megha can usually be found reading, writing, or watching documentaries, guaranteed to bore her family.
You might also like. January 4, What Does a Firewall Do? An Overview on Firewalls December 30, December 17, Best 14 Tips Download Pending Free Guide to Certificate Management.