Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

SSL trust chain validation [closed]

I have a general question. Theoretically, if you have the following trust chain: RootCA -> IntermediateCA -> MyDomainCertificate, one should verify 2 certificates in order to verify your certificate. When I send MyDomainCertificate.crt (X509v3) to someone for verification, do I have to send him the whole chain? Is the verifier able to download all intermediate certificates automatically?

This is how I hope it works:

  1. I send MyDomainCertificate.crt to someone and he wants to verify it.
  2. The verifier needs IntermediateCA.crt (the certificate of my issuer) in order to verify MyDomainCertificate.crt, so he downloads it automatically.
  3. The verifier needs RootCA.crt in order to verify IntermediateCA.crt. The verifier hat this root certificate locally and completes the verification process.

Examples:

  1. Firefox has to be able to check all server certificates. Is firefox able to download automatically all intermediate certificates, or do all servers send the complete trust chain?

  2. If I have client authentication, does Tomcat download automatically all intermediate certificates, or do all clients send the complete trust chain for their certificates?

I hope someone can help my theory/practice confusion. Thanks!

like image 856
user1414745 Avatar asked Jul 01 '26 14:07

user1414745


1 Answers

Configuring an SSL should always include installing intermediate certificates (trust chain) Because some browsers only have the root certificate and don't have intermediate certificate, and your web server should send a copy to client of the intermediate certificate.

You can use openssl for verify your ssl configuration. Read this post: https://major.io/2012/02/07/using-openssls-s_client-command-with-web-servers-using-server-name-indication-sni/

like image 124
eluish192 Avatar answered Jul 04 '26 12:07

eluish192



Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!