A trust chain, also known as a certificate chain or certification path, is a sequence of certificates that link a website's SSL/TLS certificate to a trusted root certificate authority (CA). Each certificate in the chain is digitally signed by the issuer, establishing a chain of trust from the end-entity certificate (website certificate) to the root CA certificate.
Components of a trust chain
Root Certificate Authority (Root CA): The root CA is the top-level certificate authority in the trust chain. Root CA certificates are self-signed and are installed by default in web browsers and operating systems.
Intermediate Certificate Authorities (Intermediate CAs): Intermediate CAs sit between the root CA and end-entity certificates. They issue certificates on behalf of the root CA and are used to create a hierarchical trust chain.
End-Entity Certificate (SSL/TLS Certificate): The end-entity certificate is the SSL/TLS certificate issued to a website or server. It contains the website's public key, domain name, and other identifying information.
Validating the trust chain
When a web browser connects to a website over HTTPS, it receives the website's SSL/TLS certificate along with the entire trust chain. The browser validates the certificate chain using the following steps:
- Verify Signature: The browser verifies that each certificate in the chain is signed by the private key corresponding to the next certificate in the chain.
- Check Expiry: The browser checks the validity period of each certificate in the chain to ensure that it has not expired.
- Revocation Checking: The browser checks if any certificate in the chain has been revoked using Certificate Revocation Lists (CRLs) or Online Certificate Status Protocol (OCSP) responses.
- Root CA Trust: The browser checks if the root CA certificate is trusted. If the root CA certificate is installed in the browser's or operating system's trust store, and the chain of signatures is valid, the certificate is considered trusted.
Building the Trust Chain
If an SSL/TLS certificate is issued by an intermediate CA, the server sends not only its own certificate but also the intermediate CA certificate(s) during the TLS handshake. The browser then builds the trust chain by matching the issuer of the end-entity certificate with the subject of the intermediate CA certificate, and so on, until it reaches a trusted root CA certificate.
Importance of trust chains
Trust chains are essential for establishing the authenticity and trustworthiness of SSL/TLS certificates. They enable browsers and clients to verify that a website's certificate is issued by a trusted CA and has not been tampered with, providing assurance to users that their communication with the website is secure and private.
By understanding trust chains, website owners can ensure that their SSL/TLS certificates are properly configured and trusted by web browsers and clients, enhancing the security and reliability of their websites.