on certificate chains in computer networks

abstract

The aim is documenting the security/networking concept of certificate chain

(1) CA — the issuer

• a certificate must be issued by a trusted party called Certificate Authority Server
• a certificate authority is public and acknowledged by vendors

(2) cert chain

• check any certificate within a browser (devtools 🠊 certificate 🠊 certificate path) and see the certificate chain consisting of 1 root certificate; 1+ intermediate certificates and 1 server certificate

• certificate chain is a chain of authority in certificates
• we can do some mathematics to verify that the certificate was actually issued by a CA that is said it was (this verification is SIGNING)

(2.1) root cert

• offline
• in-OS
• root certs create intermediate certificates (physically on the vendor’s side)
• root certificate signs the intermediate certificate each session to guarantee its origins

• in-browser
• from-CA-server OR from endpoint-server (the latter being recommeneded as a best practice)

• intermediate cert creates server cert at the time of its issue
• intermediate cert signs server cert each session
• if you need to export an intermediary certificate follow How to Download an Intermediate Cert From Browser — Kemp Support

(2.3) server cert

• online
• in-browser
• from-endpoint server
• contains domain name
• passed during the session after it is signed by an intermediary cert
• after it is verified that it is issued by the downloaded intermediate certificate
• …it is downloaded
• and public-private key exchange can begin

(3) expiry

• all of the certificates have expiry dates
• usually, we talk about server cert expiry

sources

• Verify certificate chain with OpenSSL
• How to Download an Intermediate Cert From Browser — Kemp Support
• Getting Started with OpenSSL and PowerShell

Originally published at http://pavol.kutaj.com on June 11, 2020.