What is SSL Certificate Chain in PKI and How Does It Work?

1 Star2 Stars3 Stars4 Stars5 Stars (2 votes, average: 5.00 out of 5)
loadingLoading...
What is SSL Certificate Chain

In-depth Guide on SSL Certificate Chain in PKI

If you are a website owner, you obviously know what installing an SSL certificate on your website means. Not just securing trust and data, it also plays a key role in boosting your website’s ranking in Google. However, what you might not know is that your certificate doesn’t function inside a bubble. Rather, it is a part of something called the SSL certificate chain.

If you want to truly understand what an SSL certificate chain is, you, at the very least, should have a basic idea about public key infrastructure (PKI), as PKI is a trust model that fortifies SSL certificates.

What is PKI in SSL Certificate Chain?

Public Key Infrastructure (PKI) is a system of digital certificates, certificate authorities (CAs), and other related hardware and software that is used to create, manage, distribute, use, store, and revoke digital certificates. PKI is used to secure electronic communications and transactions by enabling the use of digital certificates and public key encryption.

Got a basic understanding of PKI Certificate? Let us discuss what an SSL certificate chain is.

What is an SSL Certificate Chain?

Also known as certificate hierarchy or SSL chain of trust, a certificate chain is a series of SSL certificates that are used to establish trust between a client (such as a web browser) and a server (such as a website). The purpose of the SSL certificate chain is to establish a chain of trust between the client and the server.

When a client establishes a secure connection to a server, it checks the SSL certificate chain to verify the authenticity of the SSL certificate and to ensure that a trusted CA has issued the certificate. If the certificate chain is not valid, the client will not trust the certificate and will not establish a secure connection to the server.

Now that we know how the SSL certificate chain plays a key role in establishing confidentiality between the server and client let us check how it does so.

How does the SSL Certificate Chain Work?

The SSL certificate chain is an important part of the SSL/TLS ecosystem and plays a critical role in establishing trust between clients and servers.

Before we talk about how it works, let us discuss the three components that are involved in the process.

  • Root Certificate– The root certificate is a digital certificate issued by a trusted certificate authority (CA) and is used to sign intermediate certificates and end-entity SSL certificates. It is stored in a “trust store” in most web browsers and is closely guarded by the CA.
  • Intermediate Certificate: Intermediate certificates are signed by the root certificate and used to sign end-entity SSL certificates. They act as a link between the root and server certificates, and there can be one or more intermediate certificates in a chain.
  • Server Certificate: The server certificate is the end-entity SSL certificate that is issued to a specific domain and is used to establish a secure connection between the server and the client. It is signed by one or more intermediate certificates, which are, in turn, signed by the root certificate. The server certificate is installed on the server and is used to authenticate the server to the client.

Here’s how SSL Certificate Chain works:

Issuance of Self-Signed Root Certificate

The certificate authority (CA) issues a self-signed root certificate. This root certificate is used to sign one or more intermediate certificates.

Signing End-Entity SSL Certificate

The intermediate certificates are, in turn, used to sign the end-entity SSL certificate that is installed on the server.

Verification of the SSL Certificate

When a client (such as a web browser) establishes a secure connection to a server, it checks the SSL certificate chain to verify the authenticity of the SSL certificate and to ensure that a trusted CA has issued the certificate.

Checking the Root Certificate

The client checks the root certificate to see if it is trusted. If the root certificate is trusted, the client trusts all of the intermediate certificates and the end-entity SSL certificate.

Establishing Secure Connection

The client establishes a secure connection to the server and begins exchanging encrypted data with the server.

If any of the certificates in the chain are not trusted or are not valid, the SSL certificate chain will not be considered trustworthy by the client, and the client will not establish a secure connection to the server.

Now that we know how the certificate chain works let us get into its verification process.

The chain of the trust verification process is the process by which a client (such as a web browser) verifies the authenticity of an SSL certificate and establishes trust with the server. Here’s how the process works:

Connection to the Server

The client establishes a connection to the server and requests the SSL certificate. 

Response of the Server

The server responds with the SSL certificate and the certificate chain.

Checking the Trust Store

The client checks the trust store on the client’s device to see if the root certificate in the chain is trusted. If the root certificate is trusted, the client trusts all of the intermediate certificates and the end-entity SSL certificate. 

Checking the Expiration Date of the SSL

The client checks the expiration date of the SSL certificate to ensure that it is still valid.

Checking the Domain Name in the SSL Certificate

The client checks the domain name in the SSL certificate to ensure that it matches the server’s domain name.

If the certificate chain is valid and trusted, the client establishes a secure connection to the server and begins exchanging encrypted data with the server.

If any of the certificates in the chain are not trusted or are not valid, the SSL certificate chain will not be considered trustworthy by the client, and the client will not establish a secure connection to the server.

Here are a few examples of SSL certificate chains:

  • Single-Tier Certificate Chain: This is the simplest type of certificate chain, where the root certificate is used to sign the end-entity SSL certificate directly. In this case, the certificate chain consists of only two certificates: the root certificate and the end-entity SSL certificate.
  • Two-Tier Certificate Chain: This type of certificate chain consists of three certificates: the root certificate, an intermediate certificate, and the end-entity SSL certificate. The root certificate is used to sign the intermediate certificate, which is, in turn, used to sign the end-entity SSL certificate.
  • Multi-Tier Certificate Chain: This type of certificate chain consists of four or more certificates, with the root certificate being used to sign one or more intermediate certificates, which are, in turn, used to sign other intermediate certificates or the end-entity SSL certificate.

In all of these examples, the certificate chain is used to establish trust between the client and the server and to verify the authenticity of the SSL certificate. The number of certificates in the chain and the specific trust relationships between the certificates will depend on the specific requirements of the certificate authority and the SSL certificate being used.

Did you know that there can be times when you might receive errors in your certificate’s SSL cert chain if something has been configured incorrectly? Let us talk about that.

How to Check SSL Certificate Chain Online?

When setting up an SSL certificate on your website, it is important to remember that you need to install not just the site’s certificate but also one or more intermediate (or chain) certificates. If the chain is wrong, it can cause certificate errors in browsers which might make visitors leave your site. In different browsers, the chain could appear differently as some of them cache intermediate certificates and download missing ones on-demand. When renewing your certificate, you might have to install new intermediates. You can visit our SSL tools where you can check SSL certificate chain online.

How to Validate SSL Certificate Chain Through OpenSSL?

Run the below OpenSSL Commands to validate a certificate and its chain:

To verify a certificate and its chain for a given website, run the following command:

openssl verify -CAfile chain.pem www.yoursite.com.pem

To validate the intermediates and root certificate separately, use the -untrusted flag.

Note: -untrusted command used once for a certificate chain bundle of intermediates, or once for each intermediate in a separate file.

openssl verify -CAfile root.pem -untrusted intermediate.pem www.yoursite.com.pem

Add -show_chain flag to show the output the certificate chain and the relevant depth of each certificate in the chain.

openssl verify -show_chain -CAfile chain.pem www.yoursite.com.pem

What are Some Issues that Happen in the SSL Certificate Chain, and How to Troubleshoot them?

There are a few common issues that can arise with the SSL certificate chain and cause trust issues between clients and servers. Here are a few possible issues and steps you can take to troubleshoot them:

  • Expired Certificates: If any of the certificates in the chain have expired, the client will not trust the certificate chain and will not establish a secure connection to the server.

Troubleshooting method: To troubleshoot this issue, check the expiration dates of all of the certificates in the chain and ensure that they are all still valid.

  • Untrusted Root Certificates: If the root certificate is not trusted by the client, the entire certificate chain will not be trusted.

Troubleshooting method: To troubleshoot this issue, check the trust store on the client to ensure that the root certificate is trusted.

  • Incorrect Certificate Chain Order: The certificate chain must be presented in the correct order for the client to trust it. If the certificates are not presented in the correct order, the client will not trust the certificate chain.

Troubleshooting method: To troubleshoot this issue, check the order of the certificates in the chain and ensure that they are presented in the correct order.

  • Self-signed certificates: Self-signed certificates are not trusted by most clients and should not be used on production websites. If a self-signed certificate is being used, the client will not trust the certificate chain.

Troubleshooting method: To troubleshoot this issue, obtain a trusted SSL certificate from a certificate authority.

These are some of the issues and their troubleshooting ways.

Final Thoughts

An SSL certificate ensures the security and integrity of your website via the application of secure HTTPS protocol. The chain of trust is important for implementing the security protocol. Thanks to its tree-like structure, establishing contact with the server securely and swiftly has become possible. Moreover, it also makes it convenient to trace back the SSL certificate to its original root.

Related posts:

  1. What is a Certificate Authority (CA) in PKI? An Ultimate Guide
  2. What is Asymmetric Encryption, and How Does It Work?
  3. SSL Certificate Cost – What Does It Cost to Get It Issued?
  4. What is PKI Certificate? [A Detailed Guide]
  5. What is SSL Pinning & How Does It Work? [An Ultimate Guide]
  6. Public Key and Private Key Pairs: What are they and How do they Work?
  7. What is AES Encryption and How Does It Work [Detailed Guide]
  8. What is End-to-End Encryption and How Does It Work?

Janki Mehta

Janki Mehta is a Cyber-Security Enthusiast who constantly updates herself with new advancements in the Web/Cyber Security niche. Along with theoretical knowledge, she also implements her practical expertise in day-to-day tasks and helps others to protect themselves from threats.

Leave a comment

Your email address will not be published. Required fields are marked *