![]() ![]() Use OpenSSL to connect to a HTTPS server (using my very own one here in the example). Verify certificate chain with OpenSSLĮnough theory, let`s apply this IRL. The chain is N-1, where N = numbers of CAs. In case more than one intermediate CAs are involved, all the certificates must be included. ![]() Now the client has all the certificates at hand to validate the server. Therefore the server should include the intermediate CA in the response. In that case, it is not possible to validate the server`s certificate. But not all server certificates include the necessary information, or the client cannot download the missing certificate (hello firewall!). The root CA is pre-installed and can be used to validate the intermediate CA. For this, he will have to download it from the CA server. To validate this certificate, the client must have the intermediate CA. When a client connects to your server, it gets back at least the server certificate. Missing certificate therefore is the one of the intermediate CA. Client already has the root CA certificate, and at least gets the server certificate. Server certificate by intermediate CA, which is verified by Root CA. For a client to verify the certificate chain, all involved certificates must be verified. Of course, the web server certificate is also not part of this list. Compared to the root CA, its own certificate is not included in the built-in list of certificates of clients. ![]() Its certificate is included into the build-in root CA list of clients (browsers).The intermediate CA is online, and it`s task is to sign certificates. As the name suggests, the server is offline, and is not capable of signing certificates. You do get signed your certificate by an intermediate CA and not the Root CA, because the Root CA is normally an offline CA. With this, your complete certificate chain is composed of the Root CA, intermediate CA and server certificate. In a normal situation, your server certificate is signed by an intermediate CA. This is best practice and helps you achieving a good rating from SSL Labs. This means that your web server is sending out all certificates needed to validate its certificate, except the root certificate. A good TLS setup includes providing a complete certificate chain to your clients. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |