Knowledgebase

Explaining the Chain of Trust

A brief overview of PKI (Private Key Infrastructure) and why your certificate is trusted.

One of the most common questions we field is in relation to the “Chain of Trust.” If you’ve ever had any questions about roots, intermediates or how SSL certificates are chained, you’re discussing the Chain of Trust. This article will serve to explain how certificate chaining works and how a browser determines that your certificate can be trusted.

What is the Chain of Trust?

Root Certificate

The Chain of Trust refers to your SSL certificate and how it is linked back to a trusted Certificate Authority. In order for an SSL certificate to be trusted it has to be traceable back to the trust root it was signed off of, meaning all certificates in the chain – server, intermediate, and root, need to be properly trusted. There are 3 parts to the chain of trust:

Root Certificate – A root certificate is a digital certificate that belongs to the issuing Certificate Authority. It comes pre-downloaded in most browsers and is stored in what is called a “trust store.” The root certificates are closely guarded by the Certificate Authorities.

Intermediate Certificate – Intermediate certificates branch off of root certificates like branches off of trees. They act as middle-men between the protected root certificates and the server certificates issued out to the public. There will always be at least one intermediate certificate in a chain, but there can be more than one.

Server Certificate – The server certificate is the one issued to the specific domain the user is needing coverage for,

How does the Chain of Trust work?

When you install your SSL certificate, you’ll also be sent an intermediate root certificate or bundle. When a browser downloads your website’s SSL certificate upon arriving at your homepage, it begins chaining that certificate back to its root. It will begin by following the chain to the intermediate that has been installed, from there it continues to tracing backwards until it arrives at a trusted root certificate. If the certificate is valid and can be chained back to a trusted root, it will be trusted. If it can’t be chained back to a trusted root, the browser will issue a warning about the certificate.

Troubleshooting Chain of Trust Issues

You will occasionally receive errors regarding your certificate’s Chain of Trust if something has been configured incorrectly. Here are some things to consider if you receive an error relating to your trust chain.

  • Was your SSL certificate issued by a trusted CA? If not, your SSL certificate will not be trusted by browsers.This would also be an issue if you self-signed your certificate.
  • Did you install your intermediates properly? While some browsers will try to fill in any gaps in the certificate chain, you don’t want to leave things to chance. Make sure that you successfully install all intermediate certificates at the time you install your SSL certificate.
  • Is your server configured correctly? Just because you’ve installed your SSL certificate and any accompanying intermediates doesn’t mean you’ve configured your server properly. If you’re having trouble with the installation of your certificate, our installation team would he happy to assist.

As always, if you have any questions about the Chain of Trust feel free to contact our Customer Experience Department!

  • 0 Users Found This Useful
     Was this answer helpful?

Related Articles

 Understanding Different Certificate Types

If you’re new to the world of SSL certificates, trying to find the certificate that best suits your needs can seem like an impossible task. Use this guide to find the perfect certificate to match your needs. Single Domain Certificates Single...

 Multi-Domain Wildcard Certificates

If you are looking to secure multiple wildcard domains, but want to keep them all under one certificate, look no further than the Multi-Domain Wildcard SSL certificates. Offered by all major Certificate Authorities, these SSL Certificates are a...

 Combining Multiple Intermediate Certificates

Due to the limitations on select browsers and mobile devices, Certificate Authorities often do not have their Intermediate Certificates deployed for various reasons such as size limitations. Without these Intermediate Certificates being either...

 How to Check a Certificate’s Expiration Date (Chrome)

Get certificate information on any website in just a few clicks. Checking your SSL certificate’s expiration date on Google Chrome is fairly easy. Depending on which version of Chrome you’re running, it can be done within just a few clicks. Here’s...

 Troubleshooting a Name Mismatch in Web Browser

A Name Mismatch in the Web Browser occurs when the common name listed on an SSL certificate doesn’t match the name displayed in the URL bar. In order for an encrypted connection to commence, both the name on the certificate and the name in the URL...

Powered by WHMCompleteSolution