Understanding The PKI Certificate Chain
If you are familiar with the definition of SSL, you are aware that this technology uses encryption through the use of a pair of keys and a certificate to safely transmit information from a client to a server or between a server and a server.
You will also be aware that this process uses Public Key Infrastructure, which is a set of protocols and a framework to provide authentication, integrity, confidentiality and integrity to this transmission of information. This same Public Key Infrastructure technology can be used to ensure legally binding documents through digital signatures and digital certificates that both prove the sender was the sender (offering non-repudiation) as well as the document was received as send without any changes, modification or tampering during transmission.
To complete either website data transmission security or email transmission security, the technology uses what is called a PKI certificate chain. It may also be known as a chain of trust.
Terms and Technical Information
If you look at any SSL/TLS certificate for any website you will see there is more than one certificate listed. This is the PKI certificate chain. Some websites may have just a few certificates in the chain while others may have more.
The PKI certificate chain, in its entirety, relies on the root certificate from a Certificate Authority (CA). This is the certificate listed at the top of the chain. With a top Trust Provider like Comodo, this root certificate is embedded in major browsers and devices because we are a trusted source. We follow all required AICPA/CICA WebTrust for Certification Authorities Principles and Criteria to provide validation for all of our SSL/TLS products.
Each of the certificates in the middle of the chain are called intermediate certificates or subordinate certs. Each of the intermediate certificates is issued by a Subordinate CA that is validated by the Root CA.
This is one way for the root CA to allow the ICA (intermediate or subordinate CA) to be able to generate and issue their own certificates for use on their own domains, servers and devices. This is ideal for both the Root and the Intermediate CA as it provides a level of protection for the root certificate and also provides immediate issuance for certificates for the Intermediate CA.
The signing process through the PKI certificate chain is the same regardless of the number of intermediate certificates in the chain. The Root CA will use the embedded private key to digitally sign or verify the Intermediate or Subordinate CA cert. In essence, the Root CA is saying that the Intermediate is trusted because the public and private keys and the certificate are valid.
If there is more than one intermediate cert in the chain, the next in line is then digitally signed by the proceeding certificate and so on down the chain to the identity certificate. This is at the end and one the chain has been verified, encrypted data will be transmitted.
At any point in the chain if the digital signing of the certificate cannot occur because of an incorrect pairing of the public and private keys the user at the browser or on the device gets a security warning message. Not all issues with the warning are because of a breach of the security; it could include an expired certificate or an issue with a name mismatch between the URL typed in and the name on the certificate.
Why it is Important
It may seem easier to simply have the Root CA provide the private key to validate or verify the identity certificate. This is not a secure option as it potentially exposes the private keys of the root CA to fraudulent requests, creating more of a security issue.
It is also important to have the intermediate certificates to allow for easier revocation if there is a security breach in the chain of trust. Instead of having to revoke the Root CA, which would be problematic as it is embedded on browsers and devices, the intermediate CA can be revoked instead, allowing another to be used to complete the PKI certificate chain of trust in a secure fashion.
For more information on the importance of the PKI certificate chain, get in touch with our sales staff at +1 888 266 6361. You can also talk to us through the live chat system on any page on the website. It is easy to access at https://www.instantssl.com. For more general information, check out our resources section or browse the knowledge base for tips, information and troubleshooting guides.