Explaining TLS Certificate Chains

The aim is documenting the security/networking concept of certificate chain based on the superb Troubleshooting with Wireshark: Analyzing and Decrypting TLS Traffic in Wireshark (Using HTTPs)

If you look into a certificat chain you’ll find the following

0 s:CN = collector.foo.bar.com                                     
i:C = US, O = Google Trust Services LLC, CN = GTS CA 1D4           
1 s:C = US, O = Google Trust Services LLC, CN = GTS CA 1D4         
i:C = US, O = Google Trust Services LLC, CN = GTS Root R1          
2 s:C = US, O = Google Trust Services LLC, CN = GTS Root R1        
i:C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root

• The reference for shortcuts is here:

1. Certificate Authority Server (CA)

• certificate must be issued by a trusted party called Certificate Authority Server
• certificate authority is public and acknowledged by vendors

2. cert chain

• check any certificate within a browser (devtools 🠊 certificate 🠊 certificate path) and see the certificate chain consisting of
• 1 root certificate
• 1+ intermediate certificates
• 1 server certificate

• certificate chain is a chain of authority in certificates

• we can do some mathematics to verify that the certificate was actually issued by a CA that is said it was (
• this verification is SIGNING — I am not going into the details of signing here
• each certificate a also contains a public key which are 2 large prime numbers used for the public/private key exchange, which is the mechanism behind cert signing

3. root cert

• the total global count is in the order of hundreds (~150)
• offline
• locally, in an operation system (OS)

• root certs create intermediate certificates (physically on the vendor’s side)
• root certificate signs the intermediate certificate each session to guarantee its origins
• you purchase root certificate from verified, publicly available HTTPS CA
• Let’s Encrypt for Free
• Verasign
• Digicert …
• the root certificate verifies that the server you are browsing to is actually the server it declares itself to be

4. intermediate certificate

• the total global count is in the order of thousands
• root certificate creates intermediate certificate
• root signs intermediate certificate with root certificate
• the certificate authority server sends the intermetiade certificate to web browser organization
• also, intermediate certificates are often included in OS updates
• online
• in-browser
• downloaded to both client and the server from-CA-server as visualized below
• only afterwards a server certificate is sent
• sometimes, the intermediate cert is sent from the server as well (just in case CA server not accessible)
• this being recommeneded as a best practice
• intermediate cert creates server cert at the time of its issue
• intermediate cert signs server cert each session
• if you need to export an intermediary certificate follow How to Download an Intermediate Cert From Browser — Kemp Support

5. server cert

• online
• in-browser
• from-endpoint server
• contains domain-name
• passed during the session after it is signed by an intermediary cert
• after it is verified that it is issued by the downloaded intermediate certificate
• …it is downloaded
• and public-private key exchange can begin

5.1. verification information

• certificate chain of authority that links particular domain(server) certificates to intermetiary to root certificates
• you do computations to verify that certs were actually issued by who they claim to be issued by
• URL: the domain the are certifying
• Expiry: all of the certificates have expiry dates; usually we talk about server cert expiry
• check the expiry easily with openSSL

openssl s_client -connect github.com:443 | openssl x509 -noout -enddate
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA
verify error:num=20:unable to get local issuer certificate
notAfter=May 10 12:00:00 2022 GMT

6. sources

• Getting Started with OpenSSL and PowerShell
• How to Download an Intermediate Cert From Browser — Kemp Support
• How to list certificates, trusted by OpenSSL?
• How many intermediate Certificate Authorities are there? — Quora
• Troubleshooting with Wireshark: Analyzing and Decrypting TLS Traffic in Wireshark (Using HTTPs)
• Verify certificate chain with OpenSSL