Certificate Chain


Certificate Chain (certificate_list) is a collection of Certificates beginning with a root Certificate Authority and ending with the Digital Subject's Certificate, with OPTIONAL intermediate Certificate in between, each Certificate being Signed relatively to the Public Key which is encoded in the previous Certificate.

Validation of the Certificate Chain is a critical part within any Certificate-based Authentication process.

Certificate Chain

Browsers and Certificate Chain#

Some browsers may complain about a certificate signed by a well-known certificate authority, while other browsers may accept the certificate without issues.

This occurs because the issuing authority has signed the server certificate using an Intermediate Certificate that is not present in the base of well-known trusted Certificate Authority which is distributed in a particular browser. In this case the authority provides a bundle of chained certificates that should be concatenated to the signed server certificate. The Site Certificate must appear before the chained certificates in the combined file:

$ cat www.example.com.crt intermediate.crt > www.example.com.chained.crt

More Information#

There might be more information for this subject on one of the following: