On SSL/TLS Certificate Chains

1. usecase

The aim is to document the security/networking concept of certificate chain based on the superb Troubleshooting with Wireshark: Analyzing and Decrypting TLS Traffic in Wireshark (Using HTTPs)

2. Certificate Authority Server (CA)

  • certificate must be issued by a trusted party called Certificate Authority Server
  • certificate authority is public and acknowledged by vendors

3. Cert Chain

  • check any certificate within a browser (devtools 🠊 certificate 🠊 certificate path) and see the certificate chain consisting of
  • 1 root certificate
  • 1+ intermediate certificates
  • 1 server certificate
  • the certificate chain is a chain of authority in certificates
  • we can do some mathematics to verify that the certificate was actually issued by a CA that is said it was (this verification is SIGNING)

4. root cert

  • in the order of hundreds (~150) globally
  • offline
  • in-OS
  • root certs create intermediate certificates (physically on the vendor’s side)
  • root certificate signs the intermediate certificate each session to guarantee its origins
  • you purchase root certificate from verified, publicly available HTTPS CA
  • Let’s Encrypt for Free
  • Verasign
  • Digicert …
  • the root certificate verifies that the server you are browsing to is actually the server it declares itself to be

5. intermediate certificate

  • in the order of thousands
  • root certificate creates an intermediate certificate
  • root signs the intermediate certificate with the root certificate
  • the certificate authority server sends the intermediate certificate to the web browser organization
  • also, intermediate certificates are often included in OS updates
  • online
  • in-browser
  • downloaded to both client and the server from-CA-server as visualized below
  • only afterward a server certificate is sent
  • sometimes, the intermediate cert is sent from the server as well (just in case CA server not accessible)
  • this being recommended as a best practice

6. server cert

  • online
  • in-browser
  • from-endpoint server
  • contains domain-name
  • passed during the session after it is signed by an intermediary cert
  • after it is verified that it is issued by the downloaded intermediate certificate
  • …it is downloaded
  • and public-private key exchange can begin

6.1. public key

  • 2 large prime numbers used for the public/private key exchange

6.2. verification information

  • certificate chain of authority that links particular domain(server) certificates to an intermediary to root certificates
  • you do computations to verify that certs were actually issued by who they claim to be issued by

6.3. URL

  • the domain the are certifying

6.4. expiry

  • date

7. expiry

  • all of the certificates have expiry dates
  • usually, we talk about server cert expiry
  • check the expiry easily with openSSL
openssl s_client -connect github.com:443 | openssl x509 -noout -enddate
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA
verify error:num=20:unable to get local issuer certificate
notAfter=May 10 12:00:00 2022 GMT

8. sources

today I learnt… | as a support eng of the wonderful Snowplow Analytics, expect everything around modern (postmodern?) business intelligence

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store