A SSL certificate chain is an ordered list of certificates, containing an SSL/TLS Certificate and Certificate Authority (CA) Certificates, that enable the receiver to verify that the sender and all CA’s are trustworthy.
Each certificate contains information about its issuer. The issuer is the next link in the SSL chain. The SSL chain will be domain certificate -> intermediate ceritificate(s) -> root certificate
SSL Certificate Chain Order
- The Subject of the intermediate certificate matches the Issuer of the domain certificate.
- The Subject of the root certificate matches the Issuer of the intermediate certificate.
- The Subject and Issuer are the same in the root certificate.
Understanding Root Intermediate Server Certificate
- Root Certificate. A root certificate is a digital certificate that belongs to the issuing Certificate Authority. It comes pre-downloaded in most browsers and is stored in what is called a “trust store.” The root certificates are closely guarded by CAs.
- Intermediate Certificate. Intermediate certificates branch off root certificates like branches of trees. They act as middle-men between the protected root certificates and the server certificates issued out to the public. There will always be at least one intermediate certificate in a chain, but there can be more than one.
- Server Certificate. The server certificate is the one issued to the specific domain the user is needing coverage for.
Check SSL Certificate Subject name with Openssl
Run the following command in our command prompt window where server.pem is the file name of a certificate we are testing:
- openssl x509 -noout -subject -in server.pem
If the certificate is the site certificate, we will see the domain of our site in the output. e.g.
subject= /CN=www.yoursite.com
Check SSL Certificate Issuer with Openssl Command
Determine the issuer of our domain cert with the following command.
- openssl x509 -noout -issuer -in server.pem
We should see output such as issuer= /C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X3
Ordering of SSL Certificate Chain
If we are using intermediate certificate(s), we will need to make sure that the application using the certificate is sending the complete chain (server certificate and intermediate certificate).
This depends on the application we use, but usually, we have to create a file containing the server certificate file and the intermediate certificate file. It is required to put the server certificate file first, and then the intermediate certificate file(s).
We can create the correct file for the SSL certificate chain using the following command:
- $ cat server.pem intermediate.pem > chain.pem
Always double check if everything went well, we can do so by using this command which will list each certificate in order with the issuer and subject.
$ openssl crl2pkcs7 -nocrl -certfile chain.pem | openssl pkcs7 -print_certs -noout
subject=/C=Countrycode/ST=State/O=Organization/CN=FQDN
issuer=/C=Countrycode/ST=State/O=Organization/CN=the name of the intermediate CA
subject=/C=Countrycode/ST=State/O=Organization/CN=the name of the intermediate CA
issuer=/C=Countrycode/ST=State/O=Organization/CN=the name of the CA