on certificate chains in computer networks


The aim is documenting the security/networking concept of certificate chain

(1) CA — the issuer

  • a certificate must be issued by a trusted party called Certificate Authority Server
  • a certificate authority is public and acknowledged by vendors

(2) cert chain

  • check any certificate within a browser (devtools 🠊 certificate 🠊 certificate path) and see the certificate chain consisting of 1 root certificate; 1+ intermediate certificates and 1 server certificate
  • certificate chain is a chain of authority in certificates
  • we can do some mathematics to verify that the certificate was actually issued by a CA that is said it was (this verification is SIGNING)

(2.1) root cert

  • offline
  • in-OS
  • root certs create intermediate certificates (physically on the vendor’s side)
  • root certificate signs the intermediate certificate each session to guarantee its origins
  • in-browser
  • from-CA-server OR from endpoint-server (the latter being recommeneded as a best practice)

(2.3) server cert

  • online
  • in-browser
  • from-endpoint server
  • contains domain name
  • passed during the session after it is signed by an intermediary cert
  • after it is verified that it is issued by the downloaded intermediate certificate
  • …it is downloaded
  • and public-private key exchange can begin

(3) expiry

  • all of the certificates have expiry dates
  • usually, we talk about server cert expiry


Originally published at http://pavol.kutaj.com on June 11, 2020.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Pavol Kutaj

Pavol Kutaj


Infrastructure Support Engineer/Technical Writer (snowplow.io) with a passion for Python/writing documentation. More about me: https://pavol.kutaj.com