Understanding An SSL Certificate Chain

Sometimes technology and web development can be more complicated and confusing than straightforward and simple. Electing to buy an SSL certificate from a recognized and trusted root Certificate Authority like Comodo makes life a lot easier since you can avoid a lot of the potential issues that can happen if you are required to use an SSL certificate chain.

As we mentioned, we are a root Certificate Authority (CA), so our embedding is already in the trusted store of 99.9% of all browsers and devices in use. That means that when you install our Comodo SSL, EV SSL, Wildcard SSL or even our free 90-day SSL certificate the device that is connecting will be recognized by the server.

There are companies that are providing secure sockets layer certificates which are not root CAs. These vendors are known as Intermediate CAs. These intermediate CAs can provide certificates if they are issuing an SSL certificate from a trusted source, the root CA.

What it Means to You

What this means is that when a device needs to connect it will start with the next Intermediate CA in the hierarchy from the end-user certificate. There can be several Intermediate CAs in this procession. Each, on its own, is not a trusted source so the browser on the device won't connect.

However, by moving up the SSL certificate chain, the browser reaches the root CA, which is a trusted source. At this point, the browser connects and the customer sees the website without any warning messages.

If on the other hand, there was no root CA in the series, the browser on the device would display the warning message that the website is not secure. This would then give the viewer the opportunity to proceed to the website or to "get out of here" which is what almost all online buyers will do.

For all types of installations, it will be important to make sure the SSL certificate chain is correct. Sometimes an incorrect Intermediate CA is added to the chain, resulting in the security warning on the site. This can become a complicated problem to resolve as it may only occur in some browsers that don't cache the chain certificates. The ones that do cache will work but the ones that don't will not, as the cached version is still correct.

Different Certificates

What this means is that when a device needs to connect it will start with the next Intermediate CA in the hierarchy from the end-user certificate. There can be several Intermediate CAs in this procession. Each, on its own, is not a trusted source so the browser on the device won't connect.

Each of the Intermediate CAs in the chain also have a certificate. These are each issued by the next Intermediate CA up the series. The last Intermediate certificate in the chain will be issued by the root CA. The root certificate is issued to and by the root CA and is also embedded in the connected devices and in the web browsers. A root certificate is embedded in browsers and is allowed to do so because it meets the application, operating system or toolkit root certificate program.

In this way, the root certificate and the root CA become the anchor to the string of certificates. Each of the Intermediate CAs in the chain are the links. Each of these has to be able to decrypt the encrypted information from the one above moving from the anchor down the chain to the end-user.

And This Means?

All of the links in the SSL certificate chain are necessary. The ability to have the right keys to deycrpt and encrypt information up and down the chain from the device to the root CA means creates what is known as a chain of trust.

By using this process, every Intermediate CA doesn't have to be verified by each root CA and by each other. It also means that when data from a site is used it is safe and is not modified or corrupted.

This trust, plus the ability to add more links in the chain makes this a very scalable technology. The chain can be modified or an Intermediate CA added to provide different features or functions in the chain. This is a result of the need for different SSL certificates, including the UC/SAN, which have their own certificate policies.

At Comodo, we are a trusted root Certificate Authority. Our root certificates are embedded in all major servers and we are recognized by 99.9% of all devices. To purchase one of our Comodo SSL certificates see us online at www.ssl.comodo.com. We can also answer your questions by phone at +1 888 266 6361.

Related Articles