What is SSL Certificate Chain in PKI and How Does It Work?

1 Star2 Stars3 Stars4 Stars5 Stars (2 votes, average: 5.00 out of 5)
Loading...
What is SSL Certificate Chain

In-depth Guide on SSL Certificate Chain in PKI

If you are a website owner, you obviously know what installing an SSL certificate on your website means. Not just securing trust and data, it also plays a key role in boosting your website’s ranking in Google. However, you might not know that your certificate doesn’t function inside a bubble. The SSL certificate chain includes it as a part.

If you want to truly understand what an SSL certificate chain is, you, at the very least, should have a basic idea about public key infrastructure (PKI), as PKI is a trust model that fortifies SSL certificates.

What is PKI in SSL Certificate Chain?

Public Key Infrastructure (PKI) facilitates the creation, management, distribution, usage, storage, and revocation of digital certificates through a system of digital certificates, certificate authorities (CAs), and other related hardware and software. PKI enables the use of digital certificates and public key encryption to secure electronic communications and transactions.

Got a basic understanding of PKI Certificate? Let us discuss what an SSL certificate chain is.

What is an SSL Certificate Chain?

A certificate chain, also referred to as certificate hierarchy or SSL chain of trust, establishes trust between a client (such as a web browser) and a server (such as a website) by using a series of SSL certificates. The purpose of the SSL certificate chain is to establish a chain of trust between the client and the server.

When a client establishes a secure connection to a server, it checks the SSL certificate chain to verify the authenticity of the SSL certificate and to ensure that a trusted CA has issued the certificate. If the certificate chain is not valid, the client will not trust the certificate and will not establish a secure connection to the server.

Now that we know how the SSL certificate chain plays a key role in establishing confidentiality between the server and client let us check how it does so.

How does the SSL Certificate Chain Work?

The SSL certificate chain is an important part of the SSL/TLS ecosystem and plays a critical role in establishing trust between clients and servers.

Before discussing how it works, let us discuss the three components involved in the process.

  • Root Certificate– The root certificate is a digital certificate issued by a trusted certificate authority (CA) and is used to sign intermediate certificates and end-entity SSL certificates. Most web browsers store it in a “trust store,” and the CA closely guards it.
  • Intermediate Certificate: Intermediate certificates are signed by the root certificate and used to sign end-entity SSL certificates. They link the root and server certificates; a chain can have one or more intermediate certificates.
  • Server Certificate: The certificate authority issues the server certificate, which is the end-entity SSL certificate, to a specific domain. It enables the server to establish a secure connection with the client. One or more intermediate certificates sign the end-entity SSL certificate, and, in turn, the root certificate signs those intermediate certificates. The server installs the server certificate and uses it to authenticate itself to the client.

Here’s how SSL Certificate Chain works:

Issuance of Self-Signed Root Certificate

The certificate authority (CA) issues a self-signed root certificate. This root certificate signs one or more intermediate certificates.

Signing End-Entity SSL Certificate

The intermediate certificates sign the end-entity SSL certificate installed on the server.

Verification of the SSL Certificate

When a client (such as a web browser) establishes a secure connection to a server, it checks the SSL certificate chain to verify the authenticity of the SSL certificate and to ensure that a trusted CA has issued the certificate.

Checking the Root Certificate

The client checks the root certificate to determine if it trusts it. If the root certificate is trusted, the client trusts all the intermediate and end-entity SSL certificates.

Establishing Secure Connection

The client establishes a secure connection to the server and begins exchanging encrypted data with the server.

If the client does not trust or find any of the certificates in the chain valid, the SSL certificate chain will be deemed untrustworthy. Consequently, the client will not establish a secure connection to the server.

Now that we know how the certificate chain works, let us get into its verification process.

The chain of the trust verification process is the process by which a client (such as a web browser) verifies the authenticity of an SSL certificate and establishes trust with the server. Here’s how the process works:

Connection to the Server

The client establishes a connection to the server and requests the SSL certificate. 

Response of the Server

The server responds with the SSL certificate and the certificate chain.

Checking the Trust Store

The client checks the trust store on its device to determine if it trusts the root certificate in the chain. If the client trusts the root certificate, it trusts all the intermediate and end-entity SSL certificates.

Checking the Expiration Date of the SSL

The client checks the SSL certificate’s expiration date to ensure it is still valid.

Checking the Domain Name in the SSL Certificate

The client checks the domain name in the SSL certificate to ensure that it matches the server’s domain name.

If the certificate chain is valid and trusted, the client establishes a secure connection to the server and begins exchanging encrypted data with the server.

If the client does not trust or validate any of the certificates in the chain, it will consider the SSL certificate chain untrustworthy, and it will not establish a secure connection to the server.

Examples of SSL certificate chains:

  • Single-Tier Certificate Chain: In this simplest type of certificate chain, the root certificate directly signs the end-entity SSL certificate. In this case, the certificate chain consists of only two certificates: the root certificate and the end-entity SSL certificate.
  • Two-Tier Certificate Chain: This type of certificate chain consists of three certificates: the root certificate, an intermediate certificate, and the end-entity SSL certificate. The root certificate signs the intermediate certificate, which, in turn, signs the end-entity SSL certificate.
  • Multi-Tier Certificate Chain: This type of certificate chain involves four or more certificates, where the root certificate signs one or more intermediate certificates, and those intermediate certificates, in turn, sign other intermediate certificates or the end-entity SSL certificate.

In all of these examples, the certificate chain establishes trust between the client and the server and verifies the SSL certificate’s authenticity. The specific requirements of the certificate authority and the SSL certificate being used determine the number of certificates in the chain and the specific trust relationships between them.

Yes, incorrect configuration can sometimes cause errors in your SSL certificate chain. Let us talk about that.

How to Check SSL Certificate Chain Online?

When setting up an SSL certificate on your website, it is important to remember that you need to install not just the site’s certificate but also one or more intermediate (or chain) certificates. If the chain is wrong, it can cause browser certificate errors, which might make visitors leave your site. The chain could appear differently in different browsers as some cache intermediate certificates and download missing ones on-demand. When renewing your certificate, you might have to install new intermediates. You can visit our SSL tools, where you can check the SSL certificate chain online.

How to Validate SSL Certificate Chain Through OpenSSL?

Run the below OpenSSL Commands to validate a certificate and its chain:

To verify a certificate and its chain for a given website, run the following command:

openssl verify -CAfile chain.pem www.yoursite.com.pem

To validate the intermediates and root certificate separately, use the -untrusted flag.

Note: -untrusted command used once for a certificate chain bundle of intermediates, or once for each intermediate in a separate file.

openssl verify -CAfile root.pem -untrusted intermediate.pem www.yoursite.com.pem

Add -show_chain flag to show the output the certificate chain and the relevant depth of each certificate in the chain.

openssl verify -show_chain -CAfile chain.pem www.yoursite.com.pem

What are Some Issues that Happen in the SSL Certificate Chain, and How to Troubleshoot them?

A few common issues can arise with the SSL certificate chain and cause trust issues between clients and servers. Here are a few possible issues and steps you can take to troubleshoot them:

  • Expired Certificates: If any of the certificates in the chain have expired, the client will not trust the certificate chain and will not establish a secure connection to the server.

To troubleshoot this issue, check the expiration dates of all certificates in the chain and ensure they are all still valid.

  • Untrusted Root Certificates: If the client does not trust the root certificate, it will not trust the entire certificate chain.

Fox Fixing this issue, check the trust store on the client to ensure that the root certificate is trusted.

  • Incorrect Certificate Chain Order: The client can trust the certificate chain only if you present it correctly. The client will not trust the certificate chain if the certificates are not presented in the correct order.

To troubleshoot this issue, check the order of the certificates in the chain and make sure they are presented correctly.

  • Self-signed certificates: Most clients do not trust self-signed certificates and should not use them on production websites. The client will not trust the certificate chain if a self-signed certificate is being used.

Obtain a trusted SSL certificate from a certificate authority to troubleshoot this issue.

These are some of the issues and their troubleshooting ways.

Final Thoughts

An SSL certificate ensures the security and integrity of your website via the application of secure HTTPS protocol. The chain of trust is important for implementing the security protocol. Thanks to its tree-like structure, establishing contact with the server securely and swiftly has become possible. Moreover, it also makes it convenient to trace back the SSL certificate to its original root.

Janki Mehta

Janki Mehta is a Cyber-Security Enthusiast who constantly updates herself with new advancements in the Web/Cyber Security niche. Along with theoretical knowledge, she also implements her practical expertise in day-to-day tasks and helps others to protect themselves from threats.