What is an SSL Certificate Chain and Why Should I Follow It?

To truly understand SSL certificates and what an SSL certificate chain is, you need at least a rudimentary knowledge of public key infrastructure (PKI). PKI is a system of certificate authorities (CAs), root programs, and digital certificates. PKI is the trust model that undergirds SSL/TLS.

So, let’s start with a quick refresher on PKI and then we’ll discuss the certificate chain.

What is a Certificate Authority?

A certificate authority is a highly regulated entity that is trusted to issue public SSL/TLS certificates. In order for a CA to be trusted, it must abide a strict set of standards. The CA/Browser Forum (CA/B Forum) determines the baseline requirements and the various accrediting root programs may add their own requirements on top of that. In order for a CA to be trusted, it must demonstrate to the various root programs that it is compliant and operates with transparency. There are required audits — any mis-issuance must be documented and all certificates that are issued must be logged. This is all done to maintain high levels of trust.

When we refer to CAs, we’re referring to two different entities depending on the context:

• A CA is the organization that validates websites and organizations and then issues certificates in a colloquial sense.
• In a technical sense, the CA is really a root certificate and the organization just administers it.

What is a CA Root Certificate?

Root CA certificates are the genesis point for all other digital certificates issued by that CA. Root certificates are special kinds of digital certificate with longer lifespans and widely circulated public keys. But it’s the private key that makes the root CA so important, that signing key can create trusted certificates simply by signing them. That’s incredibly powerful, so the CAs rarely issue directly from their roots – we’ll get to that in a moment.

At any rate, these root certificates live on our devices. They’re part of our root stores. And that brings us back to the root programs we mentioned in the last section. These root stores are administered by the various root programs:

• Mozilla
• Apple
• Microsoft
• Google

The CAs must demonstrate compliance with these programs to have their root certificates included. Once they are, the certificate and its public key will be stored locally on any device using that root program.

Now let’s talk about the SSL certificate chain. We’ll explain what it is and why you should care about it.

The SSL Certificate Chain and You

As we just established, any certificate signing by a root CA’s private key will be trusted. But CAs are loathe to issue directly off the root because it increases their risk. If anything goes wrong, you don’t want to have to revoke a root. And you certainly don’t want to risk the root being compromised. So, instead, the CAs spin up intermediate root certificates and issue certificates directly off those.

Unlike standard SSL/TLS certificates, intermediate certificates can sign other certificates. They can sign other intermediates or leaf (end-user) certificates. When a certificate that was signed by an intermediate root is presented to a client, the client will check its signature. The signature is from an intermediate root, so next it will check the signature on the intermediate root. It will keep checking until it can connect the leaf certificate to one of the roots in its root store. Or, in other words, it needs to see that the intermediate root that signed the leaf certificate (or the intermediate that signed that intermediate) was signed by one of its trusted roots.

This is the certificate chain, or what’s also known as the certificate chain of trust. It’s the series of digital signatures on each successive certificate that form the links. The client will continue following signatures back to the keys that left them until it reaches a root. If it can’t connect the certificate to its root, then it issues a browser error that says your connection isn’t secure.

The problem is that while our devices have the root certificates saved on them, they don’t have all the intermediates. Some cache intermediates, but not all do. That’s why you’re sometimes sent an intermediate certificate along with your SSL certificate. You need to install it so clients can follow the certificate chain. Without installing it, some users may still be able to follow the chain because the intermediate is cached from another site. But that’s not a percentage game you want to play. This is why you should ALWAYS install the intermediate certificate that comes bundled with your SSL certificate.

How to Install Your Comodo Certificate Chain Intermediate Certificate

If you need to download and install an intermediate certificate, we’ll make it easy for you. For instructions on how to download and install a Comodo intermediate certificate, for example, just use this link.

Need to buy an SSL/TLS certificate? No worries. We’ve got Comodo CA brand certificates such as PositiveSSL, EssentialSSL, Comodo CA, InstantSSL, and EnterpriseSSL at some of the lowest prices on the internet. See for yourself: