How SSL Certificate Chain Works

A Trust Chain is like an ID Verification Process. For easy understanding let’s take a real-life analogy, a passport.

Passports are trusted as an ID for citizens when they visit other country because it was issued by the government. But the govt. does not directly issue the passport. it entrusts Regional passport offices to issue passports on it’s behalf.

Now, let’s map this to SSL:

There are 3 Roles in the SSL Certificate Chain.

1. Root Certificate - the government issuing passports. It’s the top-level trusted authority.

2. Intermediate Certificate – the Regional Passport Office that issues the passport on behalf of the government.

3. Server Certificate (Your website’s SSL/TLS cert) – the actual Passport.

How the Chain Works When a Browser Connects to a Website.

1. You visit https://example.com

2. The website shows its Server Certificate.

3. Your browser asks, “Who gave you this certificate?”

4. The website responds with an Intermediate Certificate saying, “It was issued by this trusted authority.”

5. The browser checks if this intermediate certificate was signed by a trusted Root Certificate that it already has stored.

6. If all checks out — trust is established and a secure connection is made.

To Summarize:

• The root CA certificate is the signer/issuer of the Intermediate certificates.

• Any certificate that sits between SSL/TLS certificate and Root Certificate is the intermediate certificate. The Intermediate cert signs/issues the SSL/TLS certs.

• The Server Certificate or the SSL/TLS cert is what the website owns.

The browser builds the chain from the server cert up to the root to decide if it’s safe. If the chain is broken, for e.g., missing intermediate or missing root certificate, then the browser says: “Not secure”.

Hope this helps.