SSL Certificate

SSL Certificate Chain: Explained

July 17, 2017 | By Kimberly Reynolds

An SSL Certificate Chain is an ordered list of SSL certificates that includes an SSL Certificate and the Certificate Authority (CA) Certificates. One end of the chain is the SSL certificate of the domain owner and the other end of the chain is the Root Certificate of the CA.

The SSL Certificate Chain enables the receiver of the certificate (browser) to verify the trustworthiness of the issuing CA. In the certificate chain, root CAs and intermediate CAs are two different types of CAs that are part of the chain. All SSL certificates are not signed by the root CA directly, but by authorized intermediaries referred to as Intermediate CAs, and the certificates that they issue are called as Intermediate Certificates.

The browser enables a trusted, secure SSL connection only if it is satisfied with the trustworthiness of the issuing CA. The browser must also have the root CA in its trusted store.

SSL Certificate Chain: Explained

Certificate Checking Scenario

In a typical scenario, the browser would check if the SSL certificate was issued by a trusted CA. If affirmative, then the trusted connection is established. If this verification fails then the browser would check if the issuing CA’s certificate was issued by a trusted CA. And, if that too fails, then the process is repeated till it reaches the root CAs certificate. If this checking process is not able to find a trusted CA then the browser will display an “Untrusted” error, and a connection will not be allowed.

In the chain of certificates, each certificate is signed by the next higher-up entity in the hierarchy. The owner of a domain will purchase an SSL certificate from a certificate issuing authority for the specific domain. This authority would not be the root CA (whose certificate would already be in the browser’s trusted certificate store). Hence, this certificate issuing authority will not be explicitly trusted.

This certificate issuing authority would be utilizing a certificate issued by an Intermediate CA, who in turn could be utilizing a certificate issued by another Intermediate CA. This chain will continue till an Intermediate CA is utilizing a certificate issued by the Root CA. And if the Root CA’s certificate is available in the store then the trustworthiness is established and a connection is enabled.

Implications of Broken SSL Chain

If at any time the certificate chain is broken too then the browser will display an “Untrusted Error”. When the end-user SSL certificate is installed, all the Intermediate SSL certificates must also be bundled and installed along with it. If any Intermediate SSL certificate that is part of the chain is not installed then the certificate chain gets broken. As the web browser would not be able to verify the connection to the final certificate it would display an “untrusted certificate error.”

Proper Certificate Installation

For successful SSL certificate authentication, the SSL Certificate Chain must be continuous and not broken. Proper certificate installation can be ensured through using SSL certificate installation wizards that guide and facilitate correct installation.

Compare SSL Certificate

Posted in SSL Certificate

Be Sociable, Share!

Leave a Comment


* fields are mandatory