Computer NetworksNetwork Security Protocols

Certificates and PKI

LevelIntermediate

Duration90 mins

TopicNetwork Security Protocols

3 / 5

Chain of Trust

The Chain That Secures the Internet

When your browser connects to a website and displays that reassuring padlock icon, an invisible but critical process has occurred: the certificate chain validation. In milliseconds, your browser has traced a path from the website's certificate, through one or more intermediate certificates, up to a root CA that it implicitly trusts.

This chain of trust is the linchpin of internet security. Every TLS connection, every HTTPS request, every secure API call depends on successfully verifying this chain. A break in the chain—an expired intermediate, a missing certificate, a signature that doesn't verify—results in those dreaded security warnings that block access.

Understanding chain of trust isn't just academic knowledge. It's essential for:

Debugging SSL/TLS issues — Why is my certificate showing as untrusted?
Proper certificate deployment — Which intermediates do I need to include?
Security assessment — Is this chain actually secure?
Incident response — What's the impact if this CA is compromised?

This page takes you deep into how trust chains work, how they're verified, and how to troubleshoot them when things go wrong.

What You Will Master

By the end of this page, you will understand how certificate chains are built and validated, the algorithms used for path validation, cross-certification and bridge CAs, practical chain debugging, and common chain-related failures and their solutions.

The Trust Chain Concept

A certificate chain (or certificate path) is an ordered sequence of certificates that links an end-entity certificate to a trusted root CA. Each certificate in the chain is signed by the next certificate's subject, creating a cryptographic chain that terminates at a self-signed root.

The Basic Chain Structure:

[End-Entity Certificate]
        ↑ signed by
[Intermediate CA Certificate]
        ↑ signed by
[Root CA Certificate (self-signed, in trust store)]

Why Chains Exist:

Remember from our CA discussion that root CAs rarely sign end-entity certificates directly. The reasons are both security and operational:

Security — Root private keys are too valuable to expose for routine signing
Flexibility — Intermediates can be revoked without changing root stores
Segmentation — Different intermediates can have different policies
Recovery — If an intermediate is compromised, issue a new one from the root

Chain Terminology:

Certificate Chain Components
Term	Also Called	Description	Trust Status
End-Entity Certificate	Leaf, Server cert, Subscriber cert	The certificate for the actual server/user being authenticated	Must be verified
Intermediate Certificate	Subordinate CA, Issuing CA	Certificates between leaf and root; can be multiple levels	Must be verified
Root Certificate	Trust anchor, Root CA cert	Self-signed certificate at the top of the chain	Implicitly trusted
Cross-Certificate	Bridge certificate	Certificate linking two distinct CA hierarchies	Enables cross-trust

Real-World Example:

Let's trace a typical certificate chain for a website secured by Let's Encrypt:

Leaf:      CN=www.example.com
           Issuer: CN=R3, O=Let's Encrypt
           
           ↑ R3 signed this
           
Intermed:  CN=R3, O=Let's Encrypt
           Issuer: CN=ISRG Root X1
           
           ↑ ISRG Root X1 signed this
           
Root:      CN=ISRG Root X1, O=Internet Security Research Group
           Issuer: CN=ISRG Root X1 (self-signed)
           
           ✓ In browser trust store

The browser knows nothing about www.example.com initially. But because it trusts ISRG Root X1 (which is in its trust store), and ISRG Root X1 vouches for R3, and R3 vouches for www.example.com, the browser transitively trusts the website.

Trust is Transitive

The chain of trust implements transitive trust: if A trusts B, and B trusts C, then A trusts C. This is mathematically sound because each link is cryptographically verified—B's signature on C's certificate proves B actually vouched for C.

Certificate Path Building

Before a chain can be validated, it must first be built. Path building is the process of assembling a complete chain from the end-entity certificate to a trusted root.

The Path Building Challenge:

Path building isn't always straightforward because:

Servers may send incomplete chains — Missing intermediates
Multiple paths may exist — Same CA re-keyed, cross-certified CAs
Some certificates may be expired or revoked — Must find valid path
Trust stores vary — What's trusted differs by OS/browser/config

Sources of Certificates for Path Building:

Certificate Sources

•TLS Handshake — Server sends its certificate chain in the handshake; this is the primary source
•Authority Information Access (AIA) — Certificate extension containing URL to download issuer's certificate
•Local Cache — Previously seen intermediates may be cached
•Trust Store — May contain intermediates in addition to roots
•LDAP/Directory — Enterprise environments may use directories for cert distribution

AIA Chasing:

When a server doesn't send the complete chain, clients can use the AIA extension in certificates to fetch missing intermediates. This is called "AIA chasing":

Client receives end-entity certificate
Certificate has AIA extension with URL: http://r3.i.lencr.org/
Client downloads the intermediate from that URL
Process repeats until reaching a trusted root

Warning: AIA chasing has drawbacks:

Adds latency (extra HTTP requests)
May fail if CA's server is down
Some clients don't support it (notably OpenSSL)
Can be blocked by firewalls

view-aia-extension.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
# View the AIA extension of a certificate
openssl x509 -in cert.pem -noout -text | grep -A 3 "Authority Information Access"
 
# Example output:
Authority Information Access: 
    OCSP - URI:http://r3.o.lencr.org
    CA Issuers - URI:http://r3.i.lencr.org/
 
# Download the intermediate certificate from AIA
curl http://r3.i.lencr.org/ -o intermediate.der
openssl x509 -in intermediate.der -inform DER -out intermediate.pem
 
# View what intermediate was downloaded
openssl x509 -in intermediate.pem -noout -subject -issuer
# Subject: CN = R3, O = Let's Encrypt, C = US
# Issuer: CN = ISRG Root X1, O = Internet Security Research Group, C = US

Always Send Complete Chains

Server operators should always configure their servers to send the complete certificate chain (excluding the root). Relying on AIA chasing adds latency and creates a dependency on CA infrastructure. Some clients won't attempt AIA chasing at all, causing immediate connection failures.

Certificate Path Validation Algorithm

Once a path is built, it must be validated. RFC 5280 defines the certification path validation algorithm—a complex procedure that every TLS implementation must correctly implement.

The Validation Process (Simplified):

For each certificate in the chain, from root to leaf:

Signature Verification — Verify the issuer's signature on the certificate
Validity Period — Check notBefore ≤ current time ≤ notAfter
Revocation Status — Check if certificate has been revoked (CRL or OCSP)
Name Chaining — Verify issuer DN matches subject DN of signing certificate
Key Identifier Matching — Authority Key Identifier matches Subject Key Identifier
Basic Constraints — If cA is TRUE, certificate can sign other certificates
Path Length — Check pathLenConstraint isn't exceeded
Key Usage — Verify keyCertSign bit for CA certificates
Policy Validation — Process certificate policies if required
Name Constraints — Verify any name restrictions

Detailed Validation Checks:

Path Validation Checks in Detail
Check	What It Verifies	Failure Meaning
Signature	Mathematical correctness of digital signature	Certificate was tampered with or wasn't signed by issuer
Validity Period	Current time within notBefore/notAfter	Certificate expired or not yet valid
Revocation	Certificate not on CRL or marked revoked in OCSP	Certificate was revoked (key compromise, mis-issuance, etc.)
Issuer/Subject Match	Issuer DN exactly matches parent's Subject DN	Certificates don't actually chain together
Basic Constraints cA	Intermediate has cA:TRUE	Entity certificate trying to act as CA
Path Length	Number of intermediates ≤ pathLenConstraint	Chain exceeds allowed depth
Key Usage	CA cert has keyCertSign bit set	Certificate not authorized to sign other certs
Name Constraints	Subject/SAN within permitted subtrees	Certificate issued for unauthorized name

The pathLenConstraint:

This is often misunderstood. It limits how many non-self-issued CA certificates can appear below this CA in the chain.

pathLenConstraint: 0 — This CA can only issue end-entity certs, not other CAs
pathLenConstraint: 1 — This CA can issue to CAs that themselves can only issue end-entity certs
pathLenConstraint: absent — No limit on path length

Example with pathLenConstraint: 1 on the Root:

Root CA (pathLenConstraint: 1)
  → Intermediate CA 1 (pathLenConstraint: 0)  ✓ Valid
    → End-Entity Certificate                   ✓ Valid
    → Intermediate CA 2 (trying to be CA)      ✗ Rejected (pathLen:0 at parent)
  → Intermediate CA 3 (pathLenConstraint: 2)  ✗ Rejected (pathLen:1 at root, can't have CA with pathLen:2)

Critical Extensions:

If any extension is marked critical and the validator doesn't understand it, the certificate must be rejected. This is a safety mechanism—unknown critical extensions might impose constraints that can't be verified.

Implementation Variations

While RFC 5280 specifies the algorithm, implementations vary in strictness. Some validators are more lenient (accepting slightly malformed certificates), while others are strict. Browser differences in path validation have historically caused compatibility issues.

Cross-Certification and Bridge CAs

Certificate chains aren't always simple linear hierarchies. Cross-certification creates links between separate CA hierarchies, enabling interoperability and trust bootstrapping.

What is Cross-Certification?

Cross-certification occurs when one CA issues a certificate to another CA (not its subordinate). This creates a trust bridge between two previously independent PKI hierarchies.

Use Cases:

Cross-Certification Purposes

•New CA Bootstrapping — A new CA gets cross-signed by established CA for immediate trust while their root propagates
•Organizational Mergers — Two companies merge and need their PKIs to inter-trust
•Government Interoperability — Different agencies or countries need to trust each other's certificates
•Legacy Support — Continue trusting certificates after CA re-keys to new root
•Algorithm Migration — Cross-sign between RSA and ECDSA hierarchies during transition

Let's Encrypt Cross-Signing Example:

Let's Encrypt's ISRG Root X1 was new in 2016 and not in most trust stores. To provide immediate trust, IdenTrust (whose DST Root CA X3 was widely trusted) cross-signed ISRG Root X1:

Path 1 (Modern devices with ISRG Root X1):
www.example.com → R3 → ISRG Root X1 (in trust store)

Path 2 (Older devices without ISRG Root X1):
www.example.com → R3 → ISRG Root X1 → DST Root CA X3 (cross-signed, in trust store)

The same certificate chain could validate through either path depending on what roots the client trusted. This was critical for Let's Encrypt's success—they achieved immediate universal trust without waiting years for root store updates.

Bridge CAs:

A Bridge CA is a special-purpose CA that cross-certifies multiple other CAs, creating a hub for trust. The Bridge doesn't issue end-entity certificates—it only connects other CAs.

Example: The US Federal PKI Bridge CA connects:

Department of Defense PKI
Department of State PKI
Various agency-specific PKIs
Commercial CAs for contractor authentication

The Bridge enables a DoD certificate to be validated by a State Department system, even though they have different root CAs.

Cross-Signing Complexity

Cross-signing creates complexity. Multiple valid paths may exist. If one path involves a revoked certificate but another doesn't, should validation succeed? Different implementations handle this differently. Expired cross-certificates can cause unexpected failures when the alternate path becomes necessary.

Name Constraints: Limiting CA Authority

Name Constraints are a powerful but underused extension that limits what names a CA (and its subordinates) can include in issued certificates.

Why Name Constraints Matter:

Consider an enterprise that wants to run its own CA for internal services. Without constraints, that CA could technically issue a certificate for google.com or any other domain. If that CA's root is installed on corporate devices, a rogue administrator could perform MITM attacks.

Name Constraints solve this by specifying:

Permitted Subtrees — The only names the CA can issue for
Excluded Subtrees — Names the CA explicitly cannot issue for

Constraint Types:

Name Constraint Types
Name Type	Format Example	What It Constrains
dNSName	.internal.example.com	DNS names (domains and subdomains)
rfc822Name	.example.com	Email addresses (@example.com)
directoryName	O=My Company	X.500 distinguished names in subject
iPAddress	192.168.0.0/16	IP addresses (v4 or v6 with subnet)
uniformResourceIdentifier	.example.com	URIs matching the domain

name-constraint-example.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
# Example CA Certificate with Name Constraints
 
X509v3 Name Constraints: critical
    Permitted:
        DNS:.internal.example.com
        DNS:.corp.example.com
        email:.example.com
        IP:10.0.0.0/255.0.0.0
        IP:192.168.0.0/255.255.0.0
    Excluded:
        DNS:.public.example.com
        IP:0.0.0.0/0.0.0.0  # Effectively: no public IPs
 
# This CA can issue certificates for:
#   ✓ server.internal.example.com
#   ✓ api.corp.example.com
#   ✓ user@example.com
#   ✓ 10.1.2.3
#   ✓ 192.168.1.100
 
# This CA CANNOT issue certificates for:
#   ✗ www.google.com (not in permitted subtrees)
#   ✗ public.example.com (explicitly excluded)
#   ✗ 8.8.8.8 (public IP excluded)

Minimum Subtree Matching:

The leading dot is significant:

.example.com matches sub.example.com and deep.sub.example.com but NOT example.com itself
example.com (no dot) matches exactly example.com and all subdomains

Enterprise PKI Best Practice:

Any enterprise CA that's added to device trust stores should have Name Constraints limiting it to company-owned domains and internal IP ranges. This provides defense-in-depth against CA compromise or administrator abuse.

Why Aren't They Used More?

Despite their value, Name Constraints are underused because:

Some legacy software doesn't properly validate them
Adding constraints to existing CAs requires re-issuing the CA certificate
Public CAs can't have Name Constraints (they need to issue for any domain)
Constraint complexity can lead to unexpected validation failures

Constrained Subordinates

Some public CAs offer 'constrained subordinate' CAs as a service. Enterprises get their own intermediate CA (for automation and control) but it's name-constrained to their domains. This combines public trust with limited scope—a best-of-both-worlds solution.

Debugging Certificate Chain Problems

Certificate chain problems are among the most common TLS issues. Knowing how to diagnose and fix them is essential for any systems engineer.

Common Chain Problems:

Typical Chain Failures

•Incomplete Chain — Server doesn't send intermediates; client can't find them
•Wrong Intermediate — Server sends incorrect or outdated intermediate certificate
•Expired Intermediate — Intermediate certificate has expired (often forgotten since long-lived)
•Ordering Issues — Certificates sent in wrong order (some clients are sensitive)
•Self-Signed in Chain — Root certificate included (wastes bandwidth, can confuse clients)
•Missing Root Trust — Root CA not in client's trust store
•Cross-Sign Expiry — Alternate trust path expired

Diagnostic Commands:

chain-debugging-commands.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
# View the certificate chain sent by a server
openssl s_client -connect example.com:443 -showcerts
 
# Output shows each certificate with markers:
#  0 s:CN = www.example.com
#    i:CN = R3, O = Let's Encrypt
# -----BEGIN CERTIFICATE----- (leaf cert)
# -----END CERTIFICATE-----
#  1 s:CN = R3, O = Let's Encrypt
#    i:CN = ISRG Root X1
# -----BEGIN CERTIFICATE----- (intermediate)
# -----END CERTIFICATE-----
 
# Verify a certificate chain against a CA bundle
openssl verify -CAfile /etc/ssl/certs/ca-certificates.crt -untrusted intermediate.pem server.pem
 
# Check all dates in the chain
openssl s_client -connect example.com:443 2>/dev/null | \
  openssl x509 -noout -dates
 
# View full chain with all certificate details
echo | openssl s_client -connect example.com:443 2>/dev/null | \
  openssl x509 -text -noout
 
# Download and verify the complete chain
echo | openssl s_client -connect example.com:443 -showcerts 2>/dev/null | \
  awk '/BEGIN CERTIFICATE/,/END CERTIFICATE/ {print}' > fullchain.pem
 
# Verify the downloaded chain
openssl verify -CAfile /etc/ssl/certs/ca-certificates.crt fullchain.pem
 
# Check subject and issuer for each cert in chain
openssl crl2pkcs7 -nocrl -certfile fullchain.pem | \
  openssl pkcs7 -print_certs -noout
 
# Test with specific TLS version
openssl s_client -connect example.com:443 -tls1_2 -showcerts
openssl s_client -connect example.com:443 -tls1_3 -showcerts

Online Testing Tools:

SSL Labs SSL Test (ssllabs.com) — Comprehensive analysis including chain validation
What's My Chain Cert (whatsmychaincert.com) — Downloads correct chain for your certificate
Certificate Chain Checker — Various online tools to visualize chains

Fixing Common Problems:

Problem: Incomplete Chain

# Nginx: Concatenate certificates in order (leaf + intermediates)
cat server.crt intermediate.crt > fullchain.crt
ssl_certificate /path/to/fullchain.crt;
ssl_certificate_key /path/to/server.key;

Problem: Wrong Order

# Correct order: leaf first, then intermediates toward root
# Never include the root certificate
cat leaf.crt intermediate1.crt intermediate2.crt > correct_chain.crt

Problem: Expired Intermediate

# Download fresh intermediate from CA
curl http://r3.i.lencr.org/ -o new_intermediate.der
openssl x509 -in new_intermediate.der -inform DER -out new_intermediate.pem
# Replace old intermediate in your chain file

Automation Prevents Problems

Most chain problems come from manual certificate management. Automated tools like certbot (for Let's Encrypt) handle chain construction automatically. Consider automation before spending hours debugging chain issues—it's likely a solved problem.

Multiple Paths and Path Selection

In complex PKI environments, multiple valid paths may exist from an end-entity certificate to different trusted roots. Understanding how clients handle this is crucial for interoperability.

Why Multiple Paths Exist:

CA Re-keying — CA generates new key pair but old certificates remain valid
Cross-Certification — Multiple roots have issued certificates to the same CA
Trust Store Differences — Different clients trust different roots
Bridge CA Topology — Multiple bridge paths between PKI domains

Example: Let's Encrypt Multiple Paths

multiple-path-example.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
# The same certificate can validate through different paths:
 
# Path A: Modern path (ISRG Root X1 is trusted)
www.example.com
  └── R3
      └── ISRG Root X1 (in trust store)
         [self-signed]
         
# Path B: Legacy path (via cross-sign, DST Root CA X3 trusted)
www.example.com
  └── R3
      └── ISRG Root X1
          └── DST Root CA X3 (cross-signed ISRG, in trust store)
              [self-signed]
 
# Path C: Alternative intermediate (if R3 cross-signed)
www.example.com
  └── R3
      └── ISRG Root X2 (ECDSA)
          [self-signed, in trust store]
         
# Client chooses based on which roots it trusts and path requirements

Path Selection Strategies:

Different implementations use different strategies:

Build all paths, validate shortest:

Build all possible paths
Attempt validation on shortest paths first
Accept first valid path
Advantage: Finds valid path even with expired alternates

Build path, validate, retry on failure:

Build most likely path
If validation fails, try alternate branches
May miss valid path if heuristics are wrong

Validate during building:

Check constraints and validity as path is built
Prune invalid branches early
Efficient but may miss some edge cases

Path Preference Policies:

Some validators have policies for path preference:

Prefer shorter paths
Prefer paths with longer-validity certificates
Prefer paths through specific CAs
Prefer RSA over ECDSA (or vice versa)

The DST Root Expiry Crisis

In September 2021, IdenTrust's DST Root CA X3 expired. Older devices that relied on this root for Let's Encrypt's cross-sign path suddenly couldn't validate Let's Encrypt certificates. Newer devices worked fine (using ISRG Root X1). This caused widespread outages on older Android, iOS, and macOS devices—demonstrating how cross-sign expiry can have dramatic real-world impact.

Summary: Chain of Trust Mastered

The chain of trust is the mechanism that extends trust from a handful of root CAs to the billions of certificates securing the internet. Let's consolidate the key concepts:

Key Takeaways

•Trust flows from roots through intermediates to leaves — Each signature cryptographically links the chain
•Path building assembles chains from multiple sources — Server-provided, AIA, cache, trust store
•Path validation checks every link thoroughly — Signatures, dates, revocation, constraints
•Cross-certification creates trust bridges — Enables interoperability and bootstraps new CAs
•Name Constraints limit CA authority — Essential for enterprise CAs added to device trust
•Multiple paths can exist — Understanding path selection helps debug unexpected behavior

What's Next:

Chains can be built and validated, but what happens when a certificate should no longer be trusted? Keys get compromised, employees leave, domain ownership changes. The next page explores Certificate Revocation—the mechanisms (CRL and OCSP) for invalidating certificates before their natural expiration.

Page Complete

You now understand how certificate chains work: path building, validation algorithms, cross-certification, name constraints, and debugging. This knowledge is essential for deploying, maintaining, and troubleshooting PKI systems. Next, we explore how to handle certificates that need to be revoked before expiration.

3 / 5

Loading learning content...

Computer NetworksNetwork Security Protocols

Certificates and PKI

LevelIntermediate

Duration90 mins

TopicNetwork Security Protocols

3 / 5

Chain of Trust

The Chain That Secures the Internet

Understanding chain of trust isn't just academic knowledge. It's essential for:

Debugging SSL/TLS issues — Why is my certificate showing as untrusted?
Proper certificate deployment — Which intermediates do I need to include?
Security assessment — Is this chain actually secure?
Incident response — What's the impact if this CA is compromised?

This page takes you deep into how trust chains work, how they're verified, and how to troubleshoot them when things go wrong.

What You Will Master

The Trust Chain Concept

The Basic Chain Structure:

[End-Entity Certificate]
        ↑ signed by
[Intermediate CA Certificate]
        ↑ signed by
[Root CA Certificate (self-signed, in trust store)]

Why Chains Exist:

Remember from our CA discussion that root CAs rarely sign end-entity certificates directly. The reasons are both security and operational:

Security — Root private keys are too valuable to expose for routine signing
Flexibility — Intermediates can be revoked without changing root stores
Segmentation — Different intermediates can have different policies
Recovery — If an intermediate is compromised, issue a new one from the root

Chain Terminology:

Certificate Chain Components
Term	Also Called	Description	Trust Status
End-Entity Certificate	Leaf, Server cert, Subscriber cert	The certificate for the actual server/user being authenticated	Must be verified
Intermediate Certificate	Subordinate CA, Issuing CA	Certificates between leaf and root; can be multiple levels	Must be verified
Root Certificate	Trust anchor, Root CA cert	Self-signed certificate at the top of the chain	Implicitly trusted
Cross-Certificate	Bridge certificate	Certificate linking two distinct CA hierarchies	Enables cross-trust

Real-World Example:

Let's trace a typical certificate chain for a website secured by Let's Encrypt:

Leaf:      CN=www.example.com
           Issuer: CN=R3, O=Let's Encrypt
           
           ↑ R3 signed this
           
Intermed:  CN=R3, O=Let's Encrypt
           Issuer: CN=ISRG Root X1
           
           ↑ ISRG Root X1 signed this
           
Root:      CN=ISRG Root X1, O=Internet Security Research Group
           Issuer: CN=ISRG Root X1 (self-signed)
           
           ✓ In browser trust store

Trust is Transitive

Certificate Path Building

Before a chain can be validated, it must first be built. Path building is the process of assembling a complete chain from the end-entity certificate to a trusted root.

The Path Building Challenge:

Path building isn't always straightforward because:

Servers may send incomplete chains — Missing intermediates
Multiple paths may exist — Same CA re-keyed, cross-certified CAs
Some certificates may be expired or revoked — Must find valid path
Trust stores vary — What's trusted differs by OS/browser/config

Sources of Certificates for Path Building:

Certificate Sources

•TLS Handshake — Server sends its certificate chain in the handshake; this is the primary source
•Authority Information Access (AIA) — Certificate extension containing URL to download issuer's certificate
•Local Cache — Previously seen intermediates may be cached
•Trust Store — May contain intermediates in addition to roots
•LDAP/Directory — Enterprise environments may use directories for cert distribution

AIA Chasing:

When a server doesn't send the complete chain, clients can use the AIA extension in certificates to fetch missing intermediates. This is called "AIA chasing":

Client receives end-entity certificate
Certificate has AIA extension with URL: http://r3.i.lencr.org/
Client downloads the intermediate from that URL
Process repeats until reaching a trusted root

Warning: AIA chasing has drawbacks:

Adds latency (extra HTTP requests)
May fail if CA's server is down
Some clients don't support it (notably OpenSSL)
Can be blocked by firewalls

view-aia-extension.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
# View the AIA extension of a certificate
openssl x509 -in cert.pem -noout -text | grep -A 3 "Authority Information Access"
 
# Example output:
Authority Information Access: 
    OCSP - URI:http://r3.o.lencr.org
    CA Issuers - URI:http://r3.i.lencr.org/
 
# Download the intermediate certificate from AIA
curl http://r3.i.lencr.org/ -o intermediate.der
openssl x509 -in intermediate.der -inform DER -out intermediate.pem
 
# View what intermediate was downloaded
openssl x509 -in intermediate.pem -noout -subject -issuer
# Subject: CN = R3, O = Let's Encrypt, C = US
# Issuer: CN = ISRG Root X1, O = Internet Security Research Group, C = US

Always Send Complete Chains

Certificate Path Validation Algorithm

Once a path is built, it must be validated. RFC 5280 defines the certification path validation algorithm—a complex procedure that every TLS implementation must correctly implement.

The Validation Process (Simplified):

For each certificate in the chain, from root to leaf:

Signature Verification — Verify the issuer's signature on the certificate
Validity Period — Check notBefore ≤ current time ≤ notAfter
Revocation Status — Check if certificate has been revoked (CRL or OCSP)
Name Chaining — Verify issuer DN matches subject DN of signing certificate
Key Identifier Matching — Authority Key Identifier matches Subject Key Identifier
Basic Constraints — If cA is TRUE, certificate can sign other certificates
Path Length — Check pathLenConstraint isn't exceeded
Key Usage — Verify keyCertSign bit for CA certificates
Policy Validation — Process certificate policies if required
Name Constraints — Verify any name restrictions

Detailed Validation Checks:

Path Validation Checks in Detail
Check	What It Verifies	Failure Meaning
Signature	Mathematical correctness of digital signature	Certificate was tampered with or wasn't signed by issuer
Validity Period	Current time within notBefore/notAfter	Certificate expired or not yet valid
Revocation	Certificate not on CRL or marked revoked in OCSP	Certificate was revoked (key compromise, mis-issuance, etc.)
Issuer/Subject Match	Issuer DN exactly matches parent's Subject DN	Certificates don't actually chain together
Basic Constraints cA	Intermediate has cA:TRUE	Entity certificate trying to act as CA
Path Length	Number of intermediates ≤ pathLenConstraint	Chain exceeds allowed depth
Key Usage	CA cert has keyCertSign bit set	Certificate not authorized to sign other certs
Name Constraints	Subject/SAN within permitted subtrees	Certificate issued for unauthorized name

The pathLenConstraint:

This is often misunderstood. It limits how many non-self-issued CA certificates can appear below this CA in the chain.

pathLenConstraint: 0 — This CA can only issue end-entity certs, not other CAs
pathLenConstraint: 1 — This CA can issue to CAs that themselves can only issue end-entity certs
pathLenConstraint: absent — No limit on path length

Example with pathLenConstraint: 1 on the Root:

Root CA (pathLenConstraint: 1)
  → Intermediate CA 1 (pathLenConstraint: 0)  ✓ Valid
    → End-Entity Certificate                   ✓ Valid
    → Intermediate CA 2 (trying to be CA)      ✗ Rejected (pathLen:0 at parent)
  → Intermediate CA 3 (pathLenConstraint: 2)  ✗ Rejected (pathLen:1 at root, can't have CA with pathLen:2)

Critical Extensions:

Implementation Variations

Cross-Certification and Bridge CAs

Certificate chains aren't always simple linear hierarchies. Cross-certification creates links between separate CA hierarchies, enabling interoperability and trust bootstrapping.

What is Cross-Certification?

Cross-certification occurs when one CA issues a certificate to another CA (not its subordinate). This creates a trust bridge between two previously independent PKI hierarchies.

Use Cases:

Cross-Certification Purposes

•New CA Bootstrapping — A new CA gets cross-signed by established CA for immediate trust while their root propagates
•Organizational Mergers — Two companies merge and need their PKIs to inter-trust
•Government Interoperability — Different agencies or countries need to trust each other's certificates
•Legacy Support — Continue trusting certificates after CA re-keys to new root
•Algorithm Migration — Cross-sign between RSA and ECDSA hierarchies during transition

Let's Encrypt Cross-Signing Example:

Let's Encrypt's ISRG Root X1 was new in 2016 and not in most trust stores. To provide immediate trust, IdenTrust (whose DST Root CA X3 was widely trusted) cross-signed ISRG Root X1:

Path 1 (Modern devices with ISRG Root X1):
www.example.com → R3 → ISRG Root X1 (in trust store)

Path 2 (Older devices without ISRG Root X1):
www.example.com → R3 → ISRG Root X1 → DST Root CA X3 (cross-signed, in trust store)

Bridge CAs:

A Bridge CA is a special-purpose CA that cross-certifies multiple other CAs, creating a hub for trust. The Bridge doesn't issue end-entity certificates—it only connects other CAs.

Example: The US Federal PKI Bridge CA connects:

Department of Defense PKI
Department of State PKI
Various agency-specific PKIs
Commercial CAs for contractor authentication

The Bridge enables a DoD certificate to be validated by a State Department system, even though they have different root CAs.

Cross-Signing Complexity

Name Constraints: Limiting CA Authority

Name Constraints are a powerful but underused extension that limits what names a CA (and its subordinates) can include in issued certificates.

Why Name Constraints Matter:

Name Constraints solve this by specifying:

Permitted Subtrees — The only names the CA can issue for
Excluded Subtrees — Names the CA explicitly cannot issue for

Constraint Types:

Name Constraint Types
Name Type	Format Example	What It Constrains
dNSName	.internal.example.com	DNS names (domains and subdomains)
rfc822Name	.example.com	Email addresses (@example.com)
directoryName	O=My Company	X.500 distinguished names in subject
iPAddress	192.168.0.0/16	IP addresses (v4 or v6 with subnet)
uniformResourceIdentifier	.example.com	URIs matching the domain

name-constraint-example.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
# Example CA Certificate with Name Constraints
 
X509v3 Name Constraints: critical
    Permitted:
        DNS:.internal.example.com
        DNS:.corp.example.com
        email:.example.com
        IP:10.0.0.0/255.0.0.0
        IP:192.168.0.0/255.255.0.0
    Excluded:
        DNS:.public.example.com
        IP:0.0.0.0/0.0.0.0  # Effectively: no public IPs
 
# This CA can issue certificates for:
#   ✓ server.internal.example.com
#   ✓ api.corp.example.com
#   ✓ user@example.com
#   ✓ 10.1.2.3
#   ✓ 192.168.1.100
 
# This CA CANNOT issue certificates for:
#   ✗ www.google.com (not in permitted subtrees)
#   ✗ public.example.com (explicitly excluded)
#   ✗ 8.8.8.8 (public IP excluded)

Minimum Subtree Matching:

The leading dot is significant:

.example.com matches sub.example.com and deep.sub.example.com but NOT example.com itself
example.com (no dot) matches exactly example.com and all subdomains

Enterprise PKI Best Practice:

Why Aren't They Used More?

Despite their value, Name Constraints are underused because:

Some legacy software doesn't properly validate them
Adding constraints to existing CAs requires re-issuing the CA certificate
Public CAs can't have Name Constraints (they need to issue for any domain)
Constraint complexity can lead to unexpected validation failures

Constrained Subordinates

Debugging Certificate Chain Problems

Certificate chain problems are among the most common TLS issues. Knowing how to diagnose and fix them is essential for any systems engineer.

Common Chain Problems:

Typical Chain Failures

•Incomplete Chain — Server doesn't send intermediates; client can't find them
•Wrong Intermediate — Server sends incorrect or outdated intermediate certificate
•Expired Intermediate — Intermediate certificate has expired (often forgotten since long-lived)
•Ordering Issues — Certificates sent in wrong order (some clients are sensitive)
•Self-Signed in Chain — Root certificate included (wastes bandwidth, can confuse clients)
•Missing Root Trust — Root CA not in client's trust store
•Cross-Sign Expiry — Alternate trust path expired

Diagnostic Commands:

chain-debugging-commands.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
# View the certificate chain sent by a server
openssl s_client -connect example.com:443 -showcerts
 
# Output shows each certificate with markers:
#  0 s:CN = www.example.com
#    i:CN = R3, O = Let's Encrypt
# -----BEGIN CERTIFICATE----- (leaf cert)
# -----END CERTIFICATE-----
#  1 s:CN = R3, O = Let's Encrypt
#    i:CN = ISRG Root X1
# -----BEGIN CERTIFICATE----- (intermediate)
# -----END CERTIFICATE-----
 
# Verify a certificate chain against a CA bundle
openssl verify -CAfile /etc/ssl/certs/ca-certificates.crt -untrusted intermediate.pem server.pem
 
# Check all dates in the chain
openssl s_client -connect example.com:443 2>/dev/null | \
  openssl x509 -noout -dates
 
# View full chain with all certificate details
echo | openssl s_client -connect example.com:443 2>/dev/null | \
  openssl x509 -text -noout
 
# Download and verify the complete chain
echo | openssl s_client -connect example.com:443 -showcerts 2>/dev/null | \
  awk '/BEGIN CERTIFICATE/,/END CERTIFICATE/ {print}' > fullchain.pem
 
# Verify the downloaded chain
openssl verify -CAfile /etc/ssl/certs/ca-certificates.crt fullchain.pem
 
# Check subject and issuer for each cert in chain
openssl crl2pkcs7 -nocrl -certfile fullchain.pem | \
  openssl pkcs7 -print_certs -noout
 
# Test with specific TLS version
openssl s_client -connect example.com:443 -tls1_2 -showcerts
openssl s_client -connect example.com:443 -tls1_3 -showcerts

Online Testing Tools:

SSL Labs SSL Test (ssllabs.com) — Comprehensive analysis including chain validation
What's My Chain Cert (whatsmychaincert.com) — Downloads correct chain for your certificate
Certificate Chain Checker — Various online tools to visualize chains

Fixing Common Problems:

Problem: Incomplete Chain

# Nginx: Concatenate certificates in order (leaf + intermediates)
cat server.crt intermediate.crt > fullchain.crt
ssl_certificate /path/to/fullchain.crt;
ssl_certificate_key /path/to/server.key;

Problem: Wrong Order

# Correct order: leaf first, then intermediates toward root
# Never include the root certificate
cat leaf.crt intermediate1.crt intermediate2.crt > correct_chain.crt

Problem: Expired Intermediate

# Download fresh intermediate from CA
curl http://r3.i.lencr.org/ -o new_intermediate.der
openssl x509 -in new_intermediate.der -inform DER -out new_intermediate.pem
# Replace old intermediate in your chain file

Automation Prevents Problems

Multiple Paths and Path Selection

In complex PKI environments, multiple valid paths may exist from an end-entity certificate to different trusted roots. Understanding how clients handle this is crucial for interoperability.

Why Multiple Paths Exist:

CA Re-keying — CA generates new key pair but old certificates remain valid
Cross-Certification — Multiple roots have issued certificates to the same CA
Trust Store Differences — Different clients trust different roots
Bridge CA Topology — Multiple bridge paths between PKI domains

Example: Let's Encrypt Multiple Paths

multiple-path-example.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
# The same certificate can validate through different paths:
 
# Path A: Modern path (ISRG Root X1 is trusted)
www.example.com
  └── R3
      └── ISRG Root X1 (in trust store)
         [self-signed]
         
# Path B: Legacy path (via cross-sign, DST Root CA X3 trusted)
www.example.com
  └── R3
      └── ISRG Root X1
          └── DST Root CA X3 (cross-signed ISRG, in trust store)
              [self-signed]
 
# Path C: Alternative intermediate (if R3 cross-signed)
www.example.com
  └── R3
      └── ISRG Root X2 (ECDSA)
          [self-signed, in trust store]
         
# Client chooses based on which roots it trusts and path requirements

Path Selection Strategies:

Different implementations use different strategies:

Build all paths, validate shortest:

Build all possible paths
Attempt validation on shortest paths first
Accept first valid path
Advantage: Finds valid path even with expired alternates

Build path, validate, retry on failure:

Build most likely path
If validation fails, try alternate branches
May miss valid path if heuristics are wrong

Validate during building:

Check constraints and validity as path is built
Prune invalid branches early
Efficient but may miss some edge cases

Path Preference Policies:

Some validators have policies for path preference:

Prefer shorter paths
Prefer paths with longer-validity certificates
Prefer paths through specific CAs
Prefer RSA over ECDSA (or vice versa)

The DST Root Expiry Crisis

Summary: Chain of Trust Mastered

The chain of trust is the mechanism that extends trust from a handful of root CAs to the billions of certificates securing the internet. Let's consolidate the key concepts:

Key Takeaways

•Trust flows from roots through intermediates to leaves — Each signature cryptographically links the chain
•Path building assembles chains from multiple sources — Server-provided, AIA, cache, trust store
•Path validation checks every link thoroughly — Signatures, dates, revocation, constraints
•Cross-certification creates trust bridges — Enables interoperability and bootstraps new CAs
•Name Constraints limit CA authority — Essential for enterprise CAs added to device trust
•Multiple paths can exist — Understanding path selection helps debug unexpected behavior

What's Next:

Page Complete

3 / 5