How do SSL chains work?

ssl

Why are intermediate certificate authorities required? When would an intermediate certificate be used? How do I verify the chain from the intermediate certificate to the root certificate? What are examples of intermediate certificates that link to root certificates?


Why are intermediate certificate authorities required? When would an intermediate certificate be used?

Sometimes, to protect the root CA's private key, it is stored in a very secure location and only used to sign a few intermediate certificates, which then are used to issue end entity certificates. In case of compromise, the intermediates can be revoked quickly, without having to reconfigure every single machine to trust a new CA.

Another possible reason is delegation: for example, such companies as Google, which often use many certificates for their own networks, will have an intermediate CA of their own.

How do I verify the chain from the intermediate certificate to the root certificate?

Usually, the end entity (for example, a SSL/TLS web server) provides you with the entire certificate chain, and all you have to do is verify the signatures.

The last in that chain is the root certificate, which you already have marked as trusted.

For example, when you have a chain [user] → [intermed-1] → [intermed-2] → [root], the verification is like this:

  1. Does [user] have [intermed-1] as its "Issuer"?

  2. Does [user] have a valid signature by [intermed-1]'s key?

  3. Does [intermed-1] have [intermed-2] as its "Issuer"?

  4. Does [intermed-1] have a valid signature by [intermed-2]'s key?

  5. Does [intermed-2] have [root] as its "Issuer"?

  6. Does [intermed-2] have a valid signature by [root]'s key?

  7. Since [root] is at the bottom of the chain and has itself as "Issuer", is it marked as trusted?

The process is exactly the same all the time; the existence and count of intermediate CAs does not matter. The user certificate can be signed by root directly, and it will be verified the same way.

What are examples of intermediate certificates that link to root certificates?

See the certificate information of https://twitter.com/ or https://www.facebook.com/ for chains containing three or four certificates. See also https://www.google.com/ for an example of Google's own certification authority.

Related

How to fill fill-in forms inside Microsoft Word documents
How can I toggle Full Screen mode in Remote Desktop without a Break key?
How can I specify the repository from which a package will be installed? (emacs-snapshot)
How to remove addresses from Thunderbird's autocomplete drop-down?
How to scroll in grub2 shell?
VMWare Player is not working after installing Hyper-V on windows 8 Pro
how do I see which user I am logged in as in MySQL?
How do I force single (only) channel audio in youtube/flash videos to play in both (left/right) channels?
How can I make wget rename downloaded files to not include the query string?
Windows 7 intermittently drops wired Internet/LAN connection
What is the right way to POST multipart/form-data using curl?
PHP 5.4 Call-time pass-by-reference - Easy fix available?