You would be familiar with a software/website that can not function independently. Website per-se functions in-tandem with web server, which is a backbone for its functioning. The same is true for SSL certificate as well. Yes, it functions with support from some chain. This chain is generally known as SSL certificate chain.
Here, I am going to guide you in-depth about the SSL certificate chain and what is the role of every component within that chain.
A certificate chain acts to establish a trust between Certificate Authorities (CAs) of a Public Key Infrastructure (PKI). The trust establishes the hierarchical roles and relationships between the root CA, the intermediate CA, and the Secure Sockets Layer (SSL) certificates.
Actually, in order to identify the trust factor of the SSL certificate, a browser has to verify few more details. These details are nothing but few more certificate that has been vetted by This list of SSL Certificate from the root certificate to the end browser, represents the SSL Certificate chain.
Let us delve deeper into the process. To see the component within SSL certificate you need to see the certificate path of SSL installed on any URL.
The root CA is the base of the certificate chain. Certificates from the root CA carries the same level of trust as the root CA certificate. The root CA signs the certificate for the intermediate CA. The role of the intermediate CA is to sign end-entity certificates for the root CA.
The SSL certificate is signed by an intermediate CA for use as a domain specific certificate. The SSL certificate is installed on an SSL enabled server (end-entity) and the certificate is presented to the browser when initiating an SSL connection with the server. The browser will try to confirm the authenticity of the SSL certificate by checking the signing authority of the certificate.
The intermediate CA is a deputy to a specific root CA and uses a certificate signed by the root CA. The intermediate CA is the signer of SSL certificates. The intermediate CAs get their CA directly from the signing root CA.
The root CA utilizes a X.509-based public key certificate that specifically identifies the root CA. The root CA is the signing authority for the SSL certificate chain. Browser vendors include a list of known, trusted root CAs that will ultimately determine the validity of an SSL certificate.
For a browser to accept an SSL certificate, the certificate must be issued by a CA that has a signed certificate from a root CA. That is included in the browser’s store of known, trusted root CAs.
The browser will check each intermediate CA’s certificate to establish if it was issued by a known, trusted root CA. In case the certificate of the intermediate CA was signed by some another intermediate CA, the web browser will then verify if that intermediate CA’s certificate to check if the issuer of the certificate is a trusted root CA.
This chain of checking a level deeper will continue until the root CA certificate is located and checked against the browser’s trusted store of root CA’s.
When the root CA matches a known and trusted root CA in the browser’s store, the certificate is accepted as valid.
Untrusted SSL connections are managed in various ways by different vendors, most will warn that the connection is distrusted, requiring the user to acknowledge the discrepancy or outright fail to allow the connection to establish.
For more in-depth understanding of SSL certificate chain I have a video for you. Watch this for quick understanding.
Simple Example of a certificate chain:
If the root CA is a known, trusted CA, the SSL certificate presented to the browser in the initial request is deemed valid.
SSL certificate troubleshooting can be really difficult at times if you are not familiar with procedures. Having said that, here is a SSL Certificate troubleshooting guide with solution of most common errors.