On SSL/TLS Certificate Chains
1. usecase
The aim is to document the security/networking concept of certificate chain based on the superb Troubleshooting with Wireshark: Analyzing and Decrypting TLS Traffic in Wireshark (Using HTTPs)
2. Certificate Authority Server (CA)
- certificate must be issued by a trusted party called Certificate Authority Server
- certificate authority is public and acknowledged by vendors
3. Cert Chain
- check any certificate within a browser (devtools 🠊 certificate 🠊 certificate path) and see the certificate chain consisting of
- 1 root certificate
- 1+ intermediate certificates
- 1 server certificate
- the certificate chain is a chain of authority in certificates
- we can do some mathematics to verify that the certificate was actually issued by a CA that is said it was (this verification is SIGNING)
4. root cert
- in the order of hundreds (~150) globally
- offline
- in-OS
- root certs create intermediate certificates (physically on the vendor’s side)
- root certificate signs the intermediate certificate each session to guarantee its origins
- you purchase root certificate from verified, publicly available HTTPS CA
- Let’s Encrypt for Free
- Verasign
- Digicert …
- the root certificate verifies that the server you are browsing to is actually the server it declares itself to be
5. intermediate certificate
- in the order of thousands
- root certificate creates an intermediate certificate
- root signs the intermediate certificate with the root certificate
- the certificate authority server sends the intermediate certificate to the web browser organization
- also, intermediate certificates are often included in OS updates
- online
- in-browser
- downloaded to both client and the server from-CA-server as visualized below
- only afterward a server certificate is sent
- sometimes, the intermediate cert is sent from the server as well (just in case CA server not accessible)
- this being recommended as a best practice
- intermediate cert creates server cert at the time of its issue
- intermediate cert signs server cert each session
- if you need to export an intermediary certificate follow How to Download an Intermediate Cert From Browser — Kemp Support
6. server cert
- online
- in-browser
- from-endpoint server
- contains domain-name
- passed during the session after it is signed by an intermediary cert
- after it is verified that it is issued by the downloaded intermediate certificate
- …it is downloaded
- and public-private key exchange can begin
6.1. public key
- 2 large prime numbers used for the public/private key exchange
6.2. verification information
- certificate chain of authority that links particular domain(server) certificates to an intermediary to root certificates
- you do computations to verify that certs were actually issued by who they claim to be issued by
6.3. URL
- the domain the are certifying
6.4. expiry
- date
7. expiry
- all of the certificates have expiry dates
- usually, we talk about server cert expiry
- check the expiry easily with openSSL
openssl s_client -connect github.com:443 | openssl x509 -noout -enddate
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA
verify error:num=20:unable to get local issuer certificate
notAfter=May 10 12:00:00 2022 GMT8. sources
- Verify certificate chain with OpenSSL
- How to Download an Intermediate Cert From Browser — Kemp Support
- Getting Started with OpenSSL and PowerShell
- How many intermediate Certificate Authorities are there? — Quora
- Troubleshooting with Wireshark: Analyzing and Decrypting TLS Traffic in Wireshark (Using HTTPs)
