<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
!!! Overview
[{$pagename}] ([Certificate Chain]) needed to perform [Certificate Validation] of a [Site Certificate].

[{$pagename}] which is described in [RFC 5246] as:
''This is a [sequence (chain) of certificates|Certificate Chain].  The [sender's certificate|Site Certificate] __MUST__ come first in the list and each following [certificate] __MUST__ directly certify the [certificate] preceding it.  

Because [Certificate Validation] requires that root keys be distributed independently, the [Self-signed Certificate] that specifies the [root certificate authority|Root Certificate] __MAY__ be omitted from the chain, under the assumption that the remote end __must__ already possess it in order to validate it in any case.''

!! [TLS]
[{$pagename}] when using [TLS] is sent from the Server or Client to the relevant receiver. 

The server would send the [{$pagename}] in the [ServerHello] and the Client would send the [{$pagename}] only after receiving the [CertificateRequest].

!! Should [Root Certificate] be in [{$pagename}]
If the [{$pagename}] contains the [Root Certificate] [SSL]/[TLS] will work but is __NOT__ recommended. The properly implemented [client|User-agent] must have all the valid [Root Certificates] in its [Trust Anchor Store] and __MUST NOT__ trust a [Root Certificates] distributed over an __insecure__ connection from a random site. 

If a [client|User-agent] wants to exempt your site from [Certificate Validation], they __SHOULD NOT__ add your [Root Certificate] to [Certificate Trust Store|Trust Anchor Store]. More than likely that user is not aware that they open door to nearly all their SSL connections (except pinned ones). They should only ever trust your [Site Certificate] (aka the leaf certificate).

Technically, the only bad thing that can be told about sending the [Root Certificate] in the [Certificate Chain] is that it uses a bit of network bandwidth needlessly. That's about 1 kB data per connection which includes a [Full TLS Handshake|TLS Full Handshake]. In a typical session between a [client (Web browser)|User-agent] and a server, only one connection will be of that type as the other connections from the client will use &quot;[Abbreviated TLS Handshake|TLS Abbreviated Handshake]&quot; which build on the initial handshake, and do not use certificates at all. And each connection will be kept alive for many successive HTTP requests. So the network overhead implied by the placing the [Root Certificate] in the certificate_list is slight.

Additionally the popular test site [ssllabs.com test site|https://www.ssllabs.com/|target='_blank'] issues a minor warning in case a root is concatenated, describing the connection with something like &quot;[contains anchor|Trust Anchor]&quot;.

!! Order of [Certificates] Presented
The Order of [Certificates] presented by a server to a client should be:
* [Site Certificate] __MUST__ come first 
* each following [certificate] __MUST__ directly certify the [certificate] that preceding it.  

!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
* [#1] - [ssltest: Chain issues - Contains anchor|https://security.stackexchange.com/questions/24561/ssltest-chain-issues-contains-anchor/|target='_blank'] - based on information obtained 2016-04-30- 
</pre>