Certificate Chain


Certificate Chain (certificate_list or Certification path) is a Chain of trust of Certificates beginning with a Subject Certificate and ending with the Root Certificate, with OPTIONAL intermediate Certificates in between, each Certificate being Signed relatively to the Public Key which is encoded in the previous Certificate.

Validation of the Certificate Chain is a critical part within any Certificate-based Authentication process.

Certificate Chain

Browsers and Certificate Chain#

Some browsers may complain about a certificate signed by a well-known Trust Anchor, while other browsers may accept the certificate without issues.

This occurs because the issuing authority has signed the server certificate using an Intermediate Certificate that is not present in the base of well-known trusted Certificate Authority which is distributed in a particular browser. In this case the authority provides a bundle of chained certificates that should be concatenated to the signed server certificate. The Site Certificate must appear before the chained certificates in the combined file:

$ cat www.example.com.crt intermediate.crt > www.example.com.chained.crt

More Information#

There might be more information for this subject on one of the following: