SSL Certificate and SSL Certificate Chain – An Introduction

An SSL certificate, or Secure Sockets Layer certificate, is a digital certificate that provides authentication and encryption for secure communication on the internet. SSL certificates are commonly used to secure sensitive information, such as personal data, credit card numbers, login credentials, and other confidential data, during transmission between a client (e.g., a web browser) and a server (e.g., a website).

The primary purpose of an SSL certificate is to establish a secure and encrypted connection between a client and a server, ensuring that the data exchanged remains confidential and cannot be intercepted or tampered with by unauthorized parties. It helps create a sense of trust and security for users interacting with websites and other online services.

When a website or a server has an SSL certificate installed, it enables the use of the HTTPS protocol (Hypertext Transfer Protocol Secure) instead of the unencrypted HTTP protocol. The SSL certificate contains important information, including:

1. Public Key: The SSL certificate includes a public key, which is used to encrypt data sent from the client to the server. This encryption ensures that even if intercepted, the data will be unreadable without the corresponding private key.
2. Certificate Authority (CA) Information: The SSL certificate also contains information about the Certificate Authority that issued the certificate. CAs are trusted third-party entities responsible for verifying the identity of the certificate holder and issuing the certificate. Popular CAs include Let’s Encrypt, Comodo, DigiCert, and Symantec.
3. Website Information: The SSL certificate includes details about the website or organization that the certificate is issued to, such as the domain name, organization name, and location.

When a user accesses a website secured with SSL, their browser checks the SSL certificate for validity and authenticity. The browser verifies whether the certificate is issued by a trusted CA, whether it has expired, and whether it is being used for the correct domain. If the certificate passes these checks, the browser displays a padlock icon or a green address bar, indicating that the connection is secure and encrypted.

SSL certificates are available in different types and validation levels. The three common types are:

1. Domain Validated (DV) Certificate: This type of certificate verifies ownership of the domain only. It is the most basic type and typically the easiest and quickest to obtain.
2. Organization Validated (OV) Certificate: An OV certificate verifies the domain ownership as well as some additional information about the organization, providing a higher level of assurance to users.
3. Extended Validation (EV) Certificate: EV certificates provide the highest level of validation. They involve a more rigorous verification process, including confirming the legal identity and physical existence of the organization. Websites with EV certificates often display the organization’s name in the browser’s address bar.

SSL certificate is a digital certificate that enables secure and encrypted communication between a client and a server. It provides authentication, and data encryption, and helps establish trust and credibility for websites and online services.

SSL Certificate chain

An SSL certificate chain, also known as a certificate chain or certificate hierarchy, refers to a sequence of SSL certificates that are used to establish trust and verify the authenticity of a website’s SSL certificate.

To understand the certificate chain, let’s consider the following scenario: You visit a website using HTTPS, and the website presents an SSL certificate to establish a secure connection. However, your web browser needs to ensure that the presented SSL certificate is valid and trustworthy.

The SSL certificate chain consists of the following components:

1. SSL Certificate: This is the certificate presented by the website to your web browser. It contains information such as the website’s domain name, public key, and other details. A Certificate Authority (CA) like DigiCert issues this certificate.
2. Intermediate Certificates: Intermediate certificates sit between the SSL certificate and the root certificate in the certificate chain. These certificates are also issued by a CA however, these certificates are used to create a chain of trust from the root certificate to the SSL certificate. Intermediate certificates are necessary because root certificates are stored in web browsers and operating systems, while intermediate certificates are issued and managed by CAs.
3. Root Certificate: The root certificate is the topmost certificate in the certificate chain. It is self-signed by the CA and represents the ultimate trust anchor. Web browsers and operating systems come preloaded with a set of trusted root certificates. When validating an SSL certificate, the browser checks if the SSL certificate is signed by a trusted root certificate.

During the SSL/TLS handshake process, the web server sends the SSL certificate to the client (web browser), and the client verifies the certificate’s validity and authenticity. To do this, the client checks the SSL certificate against the certificate chain.

The client performs the following steps to validate the certificate chain:

1. Check the SSL Certificate: The client checks the SSL certificate’s expiry date, the domain name it is issued for, and other details to ensure it is not expired and matches the accessed domain.
2. Verify the Intermediate Certificates: The client checks if the SSL certificate is issued by a trusted intermediate certificate. It looks for the presence of intermediate certificates in the certificate chain.
3. Verify the Root Certificate: The client checks if the last certificate in the chain, the root certificate, is signed by a trusted root certificate. The client compares the root certificate against its preloaded set of trusted root certificates.

If all the certificates in the chain are valid, trusted, and correctly linked, the client considers the SSL certificate to be valid and establishes a secure connection with the website. If any of the certificates in the chain are missing, expired, or not trusted, the client displays a warning to the user, indicating that the connection may not be secure.

The certificate chain plays a crucial role in ensuring the trustworthiness and authenticity of SSL certificates. It helps establish a chain of trust from the trusted root certificates to the SSL certificates presented by websites, assuring users that their communication is secure and encrypted.