In today's digital environment, where online transactions and data exchange are critical to business processes, organizations must safeguard user and customer data to build trust. Public Key Infrastructure (PKI) uses a series of digital certificates to verify the authenticity of an online entity and establish trust. Let's explore what a certificate chain of trust is, how it works, and why it's important.
Table of Contents
What is certificate chaining?
A certificate chain sets the foundation for establishing trust in the identity of an online entity and securing connections over the internet. In this chain, a series of digital certificates follows an end-entity certificate (i.e., a leaf certificate)—each signed by the next Certificate Authority (CA) in the chain to establish its authenticity. At the end of the chain is a trust anchor, the public verification key of a reputable CA.
What's the purpose of certificate chaining?
Certificate chaining is essential for cybersecurity. It establishes trust in digital communications through a hierarchical structure and enables users to interact with online entities confidently. Authentication prevents malicious actors from impersonating legitimate websites (e.g., in a phishing attack), while encryption ensures secure data transmission.
The trust established through the certificate chain prevents criminals from intercepting secure information, which can lead to data breaches and theft. The certificate chain also helps stop man-in-the-middle (MITM) attacks by preventing hackers from using expired, revoked, or fraudulent certificates.
A certificate chain allows users to establish trust with an online entity in various digital transactions—for example, to share personal data, input login credentials, or enter payment information. It's also essential for companies to comply with various data privacy regulations and security standards, such as the Health Insurance Portability and Accountability Act (HIPAA), the Payment Card Industry Data Security Standard (PCI DSS), and the General Data Protection Regulation (GDPR).
Components of a chain of certificates
The hierarchical structure of the certificate chain creates a model where trust flows from the top (i.e., root certificate) to the bottom (i.e., leaf certificate).
- Root certificate: A trusted CA at the top of the certificate hierarchy issues and self-signs a root certificate as a trust anchor to establish credibility in all certificates from associated CAs.
- Intermediate certificate: One or multiple intermediate certificates sit between the root and leaf certificate in a trust chain, each issued by an intermediate CA certified by a root CA.
- Leaf certificate: This end-entity certificate authenticates an individual entity such as a user, device, or server. It inherits trust from the higher-level certificates in the chain, verified through digital signatures.
Root CAs are the foundation of trust in the PKI, where the trust in the root certificate is inherited by the entire chain. As long as each certificate in the chain is valid, is signed correctly, and can be traced back to a trusted root, the leaf certificate is considered trustworthy. If a trust anchor's private key is compromised, the root must be distrusted from supporting software immediately. A new root is required to enable the re-issuance of all intermediate and leaf certificates issued from this root.
While a root certificate can theoretically sign a leaf certificate, the practice isn't permitted in public PKIs. Even though no technical blocks prevent a root certificate from signing a leaf certificate in a private PKI, it's considered best practice to use intermediate certificates. That way, if an intermediate certificate is compromised, the impact is limited to the certificates issued under it without affecting the root certificate or other intermediate certificates.
How does a certificate chain work?
Let's look at an SSL / TLS certificate chain as an example. A website owner wants to secure their server with an SSL certificate. First, the owner determines the type of SSL/TLS certificate needed and obtains one from a public CA. After receiving the leaf certificate, the owner installs it on the web server. When a user connects with the website, the browser performs a trust verification process:
- The browser checks if the root CA is present in its preinstalled trust store. If it finds the root certificate, it proceeds to verify the intermediate certificate. Otherwise, it won't establish a connection.
- The browser checks the intermediate certificate's digital signature using the root certificate's public key. If the signature is valid, it will trust the certificate.
- A certificate chain may contain one or more intermediate certificates, each deriving trust from the CA above it. The client verifies each certificate down the chain, confirming that the subject name in one certificate is the issuer name in the next.
- The browser then verifies the server certificate's digital signature using the intermediate certificate's public key. It will establish a secure connection for encrypted data exchange if the signature is valid. It will refuse to connect if it can't verify any certificate along the path.
Maintaining trust with a certificate chain
You don't have to handle intermediate and root certificates when you obtain a leaf certificate in a public PKI. The public CA's chain of trust was established when it was set up and verified to issue the type of leaf certificates you purchase. Here's how to select a reputable CA:
- Look for a CA that uses trusted root certificates in its trust chain.
- Purchase from a CA that publishes audit reports and complies with industry standards like WebTrust or ETSI.
- Consider if a CA cross-signs its certificates with other well-known CAs.
- Examine a CA's history and stability and use one with a long track record of reliable services.
- Look for a CA that offers the full set of certificate types you expect to use, including SSL, S/MIME, code signing, document signing, and eIDAS certificates.
- Additionally, managing the lifecycle of all leaf certificates in your infrastructure is critical to ensuring ongoing security and preventing outages, breaches, or service disruptions. However, manual processes are no longer sufficient for handling the vast number of certificates today's enterprises must manage. To ensure nothing falls through the cracks, you need a bird's-eye view of your inventory and automate the certificate lifecycle management process.
Sectigo Certificate Manager (SCM) is a CA-agnostic platform that allows you to manage all your private and public digital certificates in one place. Learn more and try SCM today to see how we can help you streamline certificate management.