





If you are a website owner, you obviously know what installing an SSL certificate on your website means. Not just securing trust and data, it also plays a key role in boosting your website’s ranking in Google. However, what you might not know is that your certificate doesn’t function inside a bubble. Rather, it is a part of something called the SSL certificate chain.
If you want to truly understand what an SSL certificate chain is, you, at the very least, should have a basic idea about public key infrastructure (PKI), as PKI is a trust model that fortifies SSL certificates.
Public Key Infrastructure (PKI) is a system of digital certificates, certificate authorities (CAs), and other related hardware and software that is used to create, manage, distribute, use, store, and revoke digital certificates. PKI is used to secure electronic communications and transactions by enabling the use of digital certificates and public key encryption.
Got a basic understanding of PKI Certificate? Let us discuss what an SSL certificate chain is.
Also known as certificate hierarchy or SSL chain of trust, a certificate chain is a series of SSL certificates that are used to establish trust between a client (such as a web browser) and a server (such as a website). The purpose of the SSL certificate chain is to establish a chain of trust between the client and the server.
When a client establishes a secure connection to a server, it checks the SSL certificate chain to verify the authenticity of the SSL certificate and to ensure that a trusted CA has issued the certificate. If the certificate chain is not valid, the client will not trust the certificate and will not establish a secure connection to the server.
Now that we know how the SSL certificate chain plays a key role in establishing confidentiality between the server and client let us check how it does so.
The SSL certificate chain is an important part of the SSL/TLS ecosystem and plays a critical role in establishing trust between clients and servers.
Before we talk about how it works, let us discuss the three components that are involved in the process.
Here’s how SSL Certificate Chain works:
The certificate authority (CA) issues a self-signed root certificate. This root certificate is used to sign one or more intermediate certificates.
The intermediate certificates are, in turn, used to sign the end-entity SSL certificate that is installed on the server.
When a client (such as a web browser) establishes a secure connection to a server, it checks the SSL certificate chain to verify the authenticity of the SSL certificate and to ensure that a trusted CA has issued the certificate.
The client checks the root certificate to see if it is trusted. If the root certificate is trusted, the client trusts all of the intermediate certificates and the end-entity SSL certificate.
The client establishes a secure connection to the server and begins exchanging encrypted data with the server.
If any of the certificates in the chain are not trusted or are not valid, the SSL certificate chain will not be considered trustworthy by the client, and the client will not establish a secure connection to the server.
Now that we know how the certificate chain works let us get into its verification process.
The chain of the trust verification process is the process by which a client (such as a web browser) verifies the authenticity of an SSL certificate and establishes trust with the server. Here’s how the process works:
The client establishes a connection to the server and requests the SSL certificate.
The server responds with the SSL certificate and the certificate chain.
The client checks the trust store on the client’s device to see if the root certificate in the chain is trusted. If the root certificate is trusted, the client trusts all of the intermediate certificates and the end-entity SSL certificate.
The client checks the expiration date of the SSL certificate to ensure that it is still valid.
The client checks the domain name in the SSL certificate to ensure that it matches the server’s domain name.
If the certificate chain is valid and trusted, the client establishes a secure connection to the server and begins exchanging encrypted data with the server.
If any of the certificates in the chain are not trusted or are not valid, the SSL certificate chain will not be considered trustworthy by the client, and the client will not establish a secure connection to the server.
Here are a few examples of SSL certificate chains:
In all of these examples, the certificate chain is used to establish trust between the client and the server and to verify the authenticity of the SSL certificate. The number of certificates in the chain and the specific trust relationships between the certificates will depend on the specific requirements of the certificate authority and the SSL certificate being used.
Did you know that there can be times when you might receive errors in your certificate’s SSL cert chain if something has been configured incorrectly? Let us talk about that.
When setting up an SSL certificate on your website, it is important to remember that you need to install not just the site’s certificate but also one or more intermediate (or chain) certificates. If the chain is wrong, it can cause certificate errors in browsers which might make visitors leave your site. In different browsers, the chain could appear differently as some of them cache intermediate certificates and download missing ones on-demand. When renewing your certificate, you might have to install new intermediates. You can visit our SSL tools where you can check SSL certificate chain online.
Run the below OpenSSL Commands to validate a certificate and its chain:
To verify a certificate and its chain for a given website, run the following command:
openssl verify -CAfile chain.pem www.yoursite.com.pem
To validate the intermediates and root certificate separately, use the -untrusted flag.
Note: -untrusted command used once for a certificate chain bundle of intermediates, or once for each intermediate in a separate file.
openssl verify -CAfile root.pem -untrusted intermediate.pem www.yoursite.com.pem
Add -show_chain flag to show the output the certificate chain and the relevant depth of each certificate in the chain.
openssl verify -show_chain -CAfile chain.pem www.yoursite.com.pem
There are a few common issues that can arise with the SSL certificate chain and cause trust issues between clients and servers. Here are a few possible issues and steps you can take to troubleshoot them:
Troubleshooting method: To troubleshoot this issue, check the expiration dates of all of the certificates in the chain and ensure that they are all still valid.
Troubleshooting method: To troubleshoot this issue, check the trust store on the client to ensure that the root certificate is trusted.
Troubleshooting method: To troubleshoot this issue, check the order of the certificates in the chain and ensure that they are presented in the correct order.
Troubleshooting method: To troubleshoot this issue, obtain a trusted SSL certificate from a certificate authority.
These are some of the issues and their troubleshooting ways.
An SSL certificate ensures the security and integrity of your website via the application of secure HTTPS protocol. The chain of trust is important for implementing the security protocol. Thanks to its tree-like structure, establishing contact with the server securely and swiftly has become possible. Moreover, it also makes it convenient to trace back the SSL certificate to its original root.