Certificate Chain Example
I see a lot of questions like “how to get certificate chain” or “what is correct certificate chain order”. Lets shed some light on it.
TL;DR The certificate chain starts with your certificat followed by an intermediate one or by root CA certificate. Issuer of any certificate in chain should be equal to Subject of next one up to root CA certificate where Subject equals to Issuer.
First of all — In order for an SSL certificate to be trusted it should be issued by a CA that is in trusted store of the device you use (operation system store or application store like with Firefox).
Lets take a look on one of certificates:
For my domain (see arrows) systems tries to find issuer of my certificate in Store and if it is not found (in my example it is not) it will try to find the issuer of the issuer of my certificate and so on end so forth.
Relation between certificates creates a Certificate Chain where certificate of a resource must be issued either by root CA (one of installed on your system) or by an intermediate CA (issued by one of root CA or by “upper” intermediate CA).
Very often we get certificate files (e.g. bunch of .crt) without specific “certificate chain” file.
To (re)create the chain you chould start from your certificate file, in my case it is STAR_my_domain.crt
openssl x509 -text -noout -in STAR_my_domain.crtWe are interested in two fields from output: Subject and Issuer.
First in chain file should be your domain’s certificate (there are exceptions. eg for AWS Certificate Manager you should submit your certificate and the chain without your certificate separately)
There are two types of CA: root and intermediate. Any intermediate CA’s cert has different Issuer and Subject fields. Root CA’s certificate has equal Issuer and Subject.
Second one should be the certificate of the issuer of yours certificate issuer and so on up to root one.
In my case the chain lookes like this:
First goes my certificate (STAR_mydomain.crt)
Issuer: C=US, ST=DE, L=Wilmington, O=Corporation Service Company, CN=Trusted Secure Certificate Authority 5
Subject: my subjectSecond in the chain (TrustedSecureCertificateAuthority5.crt). Note: Subject is equal to previous file’s Issuer :
Issuer: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority
Subject: C=US, ST=DE, L=Wilmington, O=Corporation Service Company, CN=Trusted Secure Certificate Authority 5Third one is USERTrustRSAAddTrustCA.crt:
Issuer: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root
Subject: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification AuthorityLast one is AddTrustExternalCARoot.crt. Note: Issuer = Subject, means it is root CA. There is no need to add root CA certificate to the chain. It doesn’t brake it but it increases amount of handshakes and amount of transmitted data.
Issuer: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root
Subject: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA RootTo create a file with the certificate chain you can run:
$cat STAR_mydomain.crt TrustedSecureCertificateAuthority5.crt USERTrustRSAAddTrustCA.crt > Certificate_Chain.crtFor such services as AWS Certificate manager:
cat TrustedSecureCertificateAuthority5.crt USERTrustRSAAddTrustCA.crt > Certificate_Chain.crtThe file should look like:
-----BEGIN CERTIFICATE-----
content of your domain certificate
-----END CERTIFICATE-----
...
-----BEGIN CERTIFICATE-----
content of any intermediate CA certificate
-----END CERTIFICATE-----To check if everything Ok with your certificate chain you can use any of online services like eg DigiCert provides.
UPDATE: Information updated after multiple issues with AddTrust External CA Root expiration on May 30th 2020. No need to add root certificate. It is not recommended unless you use self signed one.
