Loading learning content...
When you connect to https://bank.example.com, how do you know you're actually communicating with your bank and not an attacker? The answer lies in certificate validation—a sophisticated process where cryptographic proofs chain back to trusted authorities.
Certificates are the identity documents of the internet. Just as a passport proves your identity through a chain of governmental trust, an X.509 certificate proves a server's identity through a chain of Certificate Authority (CA) trust. Understanding this system is essential for any engineer working with web security.
In this comprehensive exploration, we'll dissect the complete certificate validation process—from certificate structure and chain building through validation algorithms and failure handling. You'll learn not just how validation works, but why each component exists and what attacks it prevents.
By the end of this page, you will understand: (1) X.509 certificate structure and fields, (2) Certificate chains and the hierarchy of trust, (3) The complete chain validation algorithm, (4) Certificate revocation checking (CRL, OCSP), (5) Common validation failures and their causes, and (6) Certificate pinning and enhanced validation.
An X.509 certificate is a standardized data structure (defined in RFC 5280) that binds a public key to an identity. Every TLS certificate follows this format precisely, enabling universal interoperability across implementations.
The Three Core Components:
Certificate ::= SEQUENCE {
tbsCertificate TBSCertificate,
signatureAlgorithm AlgorithmIdentifier,
signatureValue BIT STRING
}
Let's examine each field in detail:
| Field | Description | Example / Notes |
|---|---|---|
| Version | X.509 version (typically v3) | 3 (value 2, zero-indexed) |
| Serial Number | Unique identifier from issuing CA | 05:1B:2C:3D:4E:5F... (unique within CA) |
| Signature Algorithm | Algorithm CA will use to sign | sha256WithRSAEncryption, ecdsa-with-SHA256 |
| Issuer | Distinguished Name of signing CA | CN=Let's Encrypt Authority X3, O=Let's Encrypt |
| Validity | Not Before / Not After timestamps | 2024-01-01 to 2025-01-01 |
| Subject | Identity the certificate represents | CN=www.example.com, O=Example Inc. |
| Subject Public Key Info | The public key being certified | RSA 2048-bit or ECDSA P-256 key |
| Extensions (v3) | Additional constraints and information | Key Usage, SAN, CA flag, etc. |
Critical Extensions for TLS Certificates:
X.509 version 3 introduced extensions that are essential for modern security:
1. Subject Alternative Name (SAN)
DNS: www.example.com
DNS: example.com
DNS: api.example.com
IP: 192.0.2.1
The SAN extension lists all valid identities for this certificate. This is what browsers actually check when validating hostname matching—not the Subject CN (which is deprecated for hostname validation).
2. Key Usage
Digital Signature: YES
Key Encipherment: YES
Key Agreement: NO
Restricts what operations the key can perform. A TLS server certificate must have Digital Signature to sign handshake data.
3. Extended Key Usage
TLS Web Server Authentication: YES
TLS Web Client Authentication: NO
Further restricts certificate purpose. This prevents, for example, an email signing certificate from being used for TLS.
4. Basic Constraints
CA: FALSE
Path Length: N/A
Indicates whether this certificate can sign other certificates. Leaf certificates (servers) have CA:FALSE. Intermediate CAs have CA:TRUE.
Without the Basic Constraints extension, any certificate could sign other certificates, making the entire trust hierarchy meaningless. A compromised domain certificate could issue certificates for any domain. This was a real vulnerability in early PKI implementations.
Certificate Encoding Formats:
Certificates are encoded in various formats, which can cause confusion:
| Format | Description | File Extension | Content |
|---|---|---|---|
| DER | Binary ASN.1 encoding | .der, .cer | Raw binary |
| PEM | Base64-encoded DER with headers | .pem, .crt | -----BEGIN CERTIFICATE----- |
| PKCS#7 | Collection of certificates | .p7b, .p7c | May contain certificate chain |
| PKCS#12 | Certificate + private key bundle | .pfx, .p12 | Password-protected archive |
Viewing a Certificate (OpenSSL):
# View certificate details
openssl x509 -in cert.pem -text -noout
# Output includes:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 04:00:00:00:00:01:23:45:67:89
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = Example CA, O = Example Corp
Validity
Not Before: Jan 1 00:00:00 2024 GMT
Not After : Jan 1 00:00:00 2025 GMT
Subject: CN = www.example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:www.example.com, DNS:example.com
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication
A single certificate is meaningless without context. The power of PKI comes from certificate chains—a sequence of certificates linking a server's identity back to a trusted root.
The Three-Level Hierarchy:
┌─────────────────────────────────────────────────────┐
│ Root CA Certificate │
│ (Self-signed, distributed with OS/browser) │
│ Validity: 10-25 years │
│ Stored offline in HSMs │
└─────────────────────────────────────────────────────┘
│
│ Signs
↓
┌─────────────────────────────────────────────────────┐
│ Intermediate CA Certificate │
│ (Signed by Root, signs end-entity certs) │
│ Validity: 3-10 years │
│ Operated online, more exposed │
└─────────────────────────────────────────────────────┘
│
│ Signs
↓
┌─────────────────────────────────────────────────────┐
│ End-Entity (Leaf) Certificate │
│ (The actual server certificate) │
│ Validity: 90 days - 2 years │
│ Installed on web servers │
└─────────────────────────────────────────────────────┘
Why Use Intermediates?
Security Isolation: Root keys are kept offline in Hardware Security Modules (HSMs). If an intermediate is compromised, the root isn't exposed.
Revocation Scope: Revoking an intermediate affects only certificates it signed, not the entire root.
Operational Flexibility: Multiple intermediates can exist for different purposes (OV, EV, specific regions).
Key Rotation: Intermediates can be rotated more frequently than roots.
Chain Building:
During TLS handshake, the server sends its certificate chain (excluding the root). The client must:
Issuer-Subject Linking:
Each certificate's Issuer field must exactly match the next certificate's Subject field:
Leaf Certificate:
Subject: CN=www.example.com
Issuer: CN=Example Intermediate CA
↓ Must match
Intermediate Certificate:
Subject: CN=Example Intermediate CA
Issuer: CN=Example Root CA
↓ Must match
Root Certificate (in trust store):
Subject: CN=Example Root CA
Issuer: CN=Example Root CA (self-signed)
Certificates include an AIA extension pointing to where the issuer's certificate can be fetched. If a server doesn't send intermediates, the client can download them via AIA. However, this adds latency and isn't always reliable—best practice is for servers to always send the complete chain.
Trust Stores:
Operating systems and browsers maintain curated lists of trusted root CAs:
| Platform | Trust Store | Approximate Roots |
|---|---|---|
| Windows | Microsoft Root Certificate Program | ~300 |
| macOS/iOS | Apple Root Certificate Program | ~180 |
| Linux | ca-certificates package | ~130 |
| Firefox | Mozilla NSS (independent) | ~150 |
| Chrome | Uses OS trust store + Chrome Root Store | Varies |
| Android | System trust store + user-installed | ~150 |
How CAs Get Into Trust Stores:
CA inclusion is a rigorous process:
This gatekeeping is crucial—every root CA can issue certificates for any domain.
Certificate validation is a multi-step process defined in RFC 5280. A certificate is valid only if every step passes. Let's trace through the complete algorithm:
Step 1: Hostname Verification
The presented hostname must match the certificate:
Requested URL: https://www.example.com/api
Certificate SAN:
DNS: www.example.com ← Match!
DNS: example.com
DNS: api.example.com
Result: PASS
Wildcard Matching Rules:
*.example.com matches www.example.com, api.example.com*.example.com does NOT match example.com (no subdomain)*.example.com does NOT match test.www.example.com (only one level)* must be leftmost label onlyStep 2: Validity Period Check
Current Time: 2024-06-15 10:30:00 UTC
Not Before: 2024-01-01 00:00:00 UTC ← Before current time: OK
Not After: 2025-01-01 00:00:00 UTC ← After current time: OK
Result: PASS (certificate is within validity period)
This check applies to every certificate in the chain. If any certificate is expired or not yet valid, the entire chain fails.
Step 3: Signature Verification
For each certificate in the chain, verify the signature using the issuer's public key:
Leaf Certificate:
Signature: 3082010a....
Signed by: Intermediate CA
Verification: Decrypt signature with Intermediate's public key
Compare to hash of TBSCertificate
Result: MATCH → PASS
This proves the certificate hasn't been modified and was genuinely issued by the claimed issuer.
Step 4: Chain Building and Root Trust
Build the chain from leaf to root:
1. Start with leaf certificate
2. Find certificate whose Subject == Leaf's Issuer
3. Repeat until reaching self-signed certificate
4. Verify self-signed certificate is in trust store
Step 5: Basic Constraints Validation
For each certificate acting as a CA:
CA: TRUE must be setpathLenConstraint (if present) must not be exceededRoot CA: CA=TRUE, pathLen=1 (can have 1 intermediate below)
Intermediate: CA=TRUE, pathLen=0 (can sign only leaf certs)
Leaf: CA=FALSE (cannot sign any certs)
Step 6: Key Usage Validation
Leaf certificate must have appropriate Key Usage:
digitalSignature — For ECDHE key exchange signatureskeyEncipherment — For RSA key exchange (legacy)Step 7: Extended Key Usage
serverAuth (1.3.6.1.5.5.7.3.1) must be present for TLS server certs.
Extensions marked 'critical' MUST be processed—if a validator doesn't understand a critical extension, it must reject the certificate. Non-critical extensions can be ignored if not understood. This allows for graceful extension evolution while maintaining security.
Certificates can become invalid before their expiration date—private keys get compromised, companies change ownership, or certificates are mis-issued. Revocation is the mechanism to invalidate such certificates.
Two Primary Revocation Methods:
1. Certificate Revocation Lists (CRLs)
A CRL is a signed list of revoked certificate serial numbers published by the CA:
CRL Distribution Point: http://crl.example.com/ca.crl
CRL Contents:
Issuer: CN=Example CA
This Update: 2024-06-15 00:00:00 UTC
Next Update: 2024-06-16 00:00:00 UTC
Revoked Certificates:
Serial: 12345, Revocation Date: 2024-05-01, Reason: keyCompromise
Serial: 67890, Revocation Date: 2024-05-15, Reason: cessationOfOperation
...
Signature: ...
| Aspect | CRL | OCSP |
|---|---|---|
| Data Transfer | Download entire list | Single certificate query |
| Size | Can be megabytes | ~1KB response |
| Freshness | Hours (based on Next Update) | Seconds (real-time check) |
| Client Load | Must parse entire list | Simple status response |
| Privacy | No server contact hints | CA knows which certs you check |
| Reliability | Can cache for offline | Requires live connection |
2. Online Certificate Status Protocol (OCSP)
OCSP provides real-time revocation status for individual certificates:
Client Request:
POST http://ocsp.example.com
Content-Type: application/ocsp-request
Serial: 12345
Issuer: CN=Example CA
OCSP Response:
Response Status: successful
Certificate Status: good|revoked|unknown
This Update: 2024-06-15 10:00:00 UTC
Next Update: 2024-06-15 22:00:00 UTC
Signature: ...
OCSP Stapling: The Best of Both Worlds
OCSP has a privacy problem—the CA sees every certificate the client verifies. OCSP Stapling solves this:
Certificates can include a 'Must-Staple' extension (RFC 7633), requiring the server to provide a stapled OCSP response. Without it, the connection fails. This prevents attackers from simply omitting revocation information for a stolen certificate.
Soft-Fail vs Hard-Fail:
A critical question: what happens if revocation information is unavailable?
| Approach | Behavior | Risk |
|---|---|---|
| Soft-Fail | Accept certificate if revocation check fails | Attacker can block OCSP → use revoked certificate |
| Hard-Fail | Reject certificate if revocation check fails | DoS risk, poor user experience on network issues |
Most browsers use soft-fail by default, which means revocation is easily bypassed. This is why OCSP Stapling with Must-Staple is important for high-security applications.
Server Configuration (Nginx OCSP Stapling):
# Enable OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
# File with CA chain for OCSP response verification
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Trusted CA certificates for OCSP response verification
ssl_trusted_certificate /etc/ssl/certs/ca-chain.pem;
Certificate Transparency (CT) is a framework for publicly logging all issued certificates, enabling detection of rogue or mis-issued certificates.
The Problem CT Solves:
Historically, CAs could issue any certificate for any domain, and unless the victim actively monitored, mis-issuance went undetected. Notable incidents:
CT Architecture:
┌──────────┐ Issue ┌──────────────┐ Submit ┌─────────────┐
│ CA │──────────────▶│ Certificate │───────────▶│ CT Logs │
└──────────┘ └──────────────┘ │ (Merkle │
│ Trees) │
└─────────────┘
│
Returns SCT │
▼ │
┌──────────┐ Validate ┌──────────────┐ Monitor ┌─────────────┐
│ Browser │◀──────────────│ Certificate │◀───────────│ Monitors │
│ │ │ + SCT │ │ (Domain │
│ │ │ │ │ owners, │
└──────────┘ └──────────────┘ │ auditors) │
└─────────────┘
Signed Certificate Timestamp (SCT):
When a CA submits a certificate to a CT log, the log returns a Signed Certificate Timestamp (SCT)—a cryptographic promise to include the certificate in the log within a specified time.
SCT Delivery Methods:
signed_certificate_timestamp extensionBrowser Requirements:
Chrome, Safari, and other browsers require SCTs from multiple independent logs for certificates issued after 2018. Without valid SCTs, certificates are rejected.
| Certificate Lifetime | Required SCTs |
|---|---|
| Less than 180 days | 2 SCTs |
| 180+ days | 3 SCTs |
Monitoring for Your Domains:
Domain owners can monitor CT logs to detect unauthorized certificate issuance:
# Using crt.sh (public CT log aggregator)
curl "https://crt.sh/?q=example.com&output=json" | jq '.'
# Shows all certificates ever issued for example.com
Services like Facebook's Certificate Transparency Monitoring, crt.sh, and commercial solutions provide alerting when new certificates appear for your domains.
Certificate Transparency doesn't prevent mis-issuance—it exposes it. A rogue certificate could still be used briefly before detection. However, CT makes it nearly impossible to issue a fraudulent certificate without it being publicly visible, deterring attackers and enabling rapid response.
Understanding why certificate validation fails is crucial for both security and troubleshooting. Let's examine the most common failure scenarios:
Diagnosing Certificate Issues (OpenSSL):
# Fetch and display server certificate
openssl s_client -connect example.com:443 -servername example.com
# Verify certificate chain
openssl verify -CAfile ca-bundle.crt -untrusted intermediate.crt server.crt
# Check certificate dates
openssl x509 -in cert.pem -noout -dates
# Check certificate SAN
openssl x509 -in cert.pem -noout -text | grep -A1 "Subject Alternative Name"
# Check OCSP status
openssl ocsp -url http://ocsp.example.com -issuer issuer.pem -cert cert.pem
Common Configuration Mistakes:
| Mistake | Symptom | Solution |
|---|---|---|
| Missing intermediate | Works in some browsers, not others | Include full chain in server config |
| Wrong certificate order | Random validation failures | Order: leaf first, then intermediates |
| Private key mismatch | Handshake fails with no error | Verify key matches certificate |
| SNI not configured | Wrong certificate served | Enable SNI on server |
| Self-signed in production | Browser warnings | Use CA-signed certificate |
When development hits certificate errors, the temptation is to disable validation (curl -k, NODE_TLS_REJECT_UNAUTHORIZED=0). This creates catastrophic security holes if accidentally deployed to production. Instead, properly configure certificates—even for development environments.
Standard certificate validation trusts hundreds of CAs—any one of which could issue a certificate for any domain. Certificate pinning restricts which certificates or CAs are valid for a specific domain, providing defense-in-depth against compromised CAs.
Pinning Strategies:
1. Public Key Pinning Pin the hash of the public key (most flexible—survives certificate renewal):
Pin SHA-256: base64(SHA256(SubjectPublicKeyInfo))
Example: pin-sha256="K87oWBWM9UZfyddvDfoxL+8lpNyoUB2ptGtn0fv6G2Q="
2. Certificate Pinning Pin the hash of the entire certificate (must update pin on renewal):
Pin SHA-256: base64(SHA256(Certificate))
3. CA Pinning Pin specific intermediate or root CA (allows any cert from that CA):
Accept certificates with chain containing:
Issuer: CN=DigiCert SHA2 Extended Validation Server CA
HTTP Public Key Pinning (HPKP) — Deprecated:
HPKP was a browser feature that let sites declare pins via HTTP header:
Public-Key-Pins:
pin-sha256="base64==";
pin-sha256="backup-base64==";
max-age=5184000;
includeSubDomains
Why HPKP Failed:
Modern Alternatives:
1. Expect-CT Header
Expect-CT: max-age=86400, enforce, report-uri="https://example.com/ct-report"
Requires Certificate Transparency (SCTs) for all connections.
2. Mobile App Pinning For mobile apps, pinning is implemented in the app code and highly recommended:
// Android OkHttp pinning
CertificatePinner pinner = new CertificatePinner.Builder()
.add("api.example.com", "sha256/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=")
.add("api.example.com", "sha256/BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB=") // Backup
.build();
3. CAA Records DNS CAA records specify which CAs can issue for a domain:
example.com. CAA 0 issue "letsencrypt.org"
example.com. CAA 0 issue "digicert.com"
example.com. CAA 0 iodef "mailto:security@example.com"
CAs must check CAA before issuance. This prevents rogue CAs from issuing, though it doesn't affect validation.
For mobile apps: Pin at least two keys (primary + backup from different roots). Include an emergency override mechanism. Test certificate rotation before it happens. For web: Use CT and CAA records rather than HPKP. Monitor CT logs actively.
Certificates come in different validation levels, reflecting how thoroughly the CA verified the applicant's identity.
Domain Validation (DV) Certificates:
# Let's Encrypt HTTP-01 Challenge
1. CA generates random token
2. You place token at: http://example.com/.well-known/acme-challenge/TOKEN
3. CA verifies it can fetch the token → you control the domain
4. Certificate issued
Organization Validation (OV) Certificates:
Extended Validation (EV) Certificates:
EV Validation Requirements (Partial List):
| Aspect | DV | OV | EV |
|---|---|---|---|
| Identity Verification | Domain only | Domain + org name | Domain + full org verification |
| Issuance Speed | Minutes | 1-3 days | 1-2 weeks |
| Cost | Free-$50/yr | $50-200/yr | $200-1000+/yr |
| Legal Liability | None | Limited | Higher |
| Trust Level | Technical only | Organization visible | Full verification |
| Green Bar (historical) | No | No | Yes (deprecated) |
| Automation | Fully automated | Partially automated | Manual required |
Major browsers have removed the green bar and prominent organization display for EV certificates. Research showed users didn't understand or notice the difference, and attackers could register similarly-named companies to get EV certs. EV still provides legal assurance but no longer provides meaningful visual differentiation.
We've comprehensively explored certificate validation—the mechanism that enables authenticated web connections. Let's consolidate the essential concepts:
What's Next:
With TLS integration and certificate validation understood, the next page examines Mixed Content—what happens when HTTPS pages load HTTP resources, why it's dangerous, and how browsers protect against it.
You now understand the complete certificate validation ecosystem—from X.509 structure through chain validation, revocation, Certificate Transparency, and pinning. This knowledge is essential for configuring, troubleshooting, and securing HTTPS deployments.