An SSL certificate chain comprises a sequential arrangement of certificates, including the SSL/TLS Certificate and Certificates from Certificate Authorities (CAs). This chain allows the recipient to authenticate the credibility of the sender and the involved CAs.
Within each certificate, there’s data about its issuing authority, serving as a successive connection in the chain. The typical structure of the SSL chain follows this order: domain certificate, followed by intermediate certificate(s), and culminating with the root certificate.
Table of Contents
SSL Certificate Chain Order
- The Subject of the intermediate certificate matches the Issuer of the domain certificate.
- The Subject of the root certificate matches the Issuer of the intermediate certificate.
- The Subject and Issuer are the same in the root certificate.
Understanding Root Intermediate Server Certificate
-
- Root Certificate. A root certificate is a digital certificate that belongs to the issuing Certificate Authority. It comes pre-downloaded in most browsers and is stored in what is called a “trust store.” The root certificates are closely guarded by CAs.
- Intermediate Certificate. Intermediate certificates branch off root certificates like branches of trees. They act as middlemen between the protected root certificates and the server certificates issued out to the public. There will always be at least one intermediate certificate in a chain, but there can be more than one.
- Server Certificate. The server certificate is the one issued to the specific domain the user needs coverage for.
Common OpenSSL Errors Related to SSL Certificate Chain Checks
When checking SSL certificate chain order with OpenSSL, you might encounter several errors, particularly if the certificate chain is improperly configured or if there are issues with the certificates themselves. Here are some common errors related to this process:
-
- Incomplete Certificate Chain:
Error indicating that not all intermediate certificates are present in the chain. This can lead to trust issues on some clients.
- Incomplete Certificate Chain:
-
- Certificate Order Mismatch:
Occurs when certificates in the chain are not in the correct hierarchical order, which can cause validation failures.
- Root Certificate Not Trusted:
This error appears if the root certificate is not recognized by the system or is not included in the trusted store.
- Intermediate Certificate Missing:
Similar to an incomplete chain, this specific error indicates that one or more intermediate certificates are missing.
- Certificate Order Mismatch:
Check SSL Certificate Subject name with OpenSSL
Run the following command in our command prompt window where server.pem is the file name of a certificate we are testing:
openssl x509 -noout -subject -in server.pem
If the certificate is the site certificate, we will see the domain of our site in the output. e.g.
subject= /CN=www.yoursite.com
Check SSL Certificate Issuer with Openssl Command
Determine the issuer of our domain cert with the following command.
openssl x509 -noout -issuer -in server.pem
We should see output such as issuer= /C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X3
Ordering of SSL Certificate Chain
If we are using intermediate certificate(s), we will need to make sure that the application using the certificate is sending the complete chain (server certificate and intermediate certificate).
This depends on the application we use, but usually, we have to create a file containing the server certificate file and the intermediate certificate file. It is required to put the server certificate file first, and then the intermediate certificate file(s).
We can create the correct file for the SSL certificate chain using the following command:
cat server.pem intermediate.pem > chain.pem
Always double check if everything went well, we can do so by using this command which will list each certificate in order with the issuer and subject.
$ openssl crl2pkcs7 -nocrl -certfile chain.pem | openssl pkcs7 -print_certs -noout
subject=/C=Countrycode/ST=State/O=Organization/CN=FQDN
issuer=/C=Countrycode/ST=State/O=Organization/CN=the name of the intermediate CA
subject=/C=Countrycode/ST=State/O=Organization/CN=the name of the intermediate CA
issuer=/C=Countrycode/ST=State/O=Organization/CN=the name of the CA