Cyrptography - Certificate chain

> Software Security > Cryptography - Key

1 - About

A certificate can have been issued by another CA creating a chain (or path). See certificate chain

There are several types of certificate:

  • root certificate. The root of the tree. (All root CA certificates are self signed)
  • intermediate certificate. The beginning of a branch of the tree (signed by the root)
  • the certificate. The leaf of the tree signed by the intermediate.
Advertising

3 - Management

3.1 - See

Example: from the chrome dev tool (F12) > security.

3.2 - Get

openssl s_client -host gerardnico.com -port 443 -servername gerardnico.com -prexit -showcerts

You got some information and the chain:

certificate_chain.pem
---                                                                                                                         
Certificate chain                                                                                                           
 0 s:/OU=Domain Control Validated/OU=PositiveSSL Multi-Domain/CN=sni137003.cloudflaressl.com                                
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO ECC Domain Validation Secure Server CA 2           
-----BEGIN CERTIFICATE-----                                                                                                 
MIIHYjCCBwegAwIBAgIRAMktOmOeS7iRAqRtWc9IHD4wCgYIKoZIzj0EAwIwgZIx                                                            
CzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNV                                                            
BAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTgwNgYDVQQD                                                            
Ey9DT01PRE8gRUNDIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIgQ0Eg                                                            
MjAeFw0xODAyMDEwMDAwMDBaFw0xODA4MTAyMzU5NTlaMGwxITAfBgNVBAsTGERv                                                            
bWFpbiBDb250cm9sIFZhbGlkYXRlZDEhMB8GA1UECxMYUG9zaXRpdmVTU0wgTXVs                                                            
dGktRG9tYWluMSQwIgYDVQQDExtzbmkxMzcwMDMuY2xvdWRmbGFyZXNzbC5jb20w                                                            
WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARnBErqfdqoeYpPQqLaDaKC+3lB3+E8                                                            
qBW2e7BzyaxoeaLzMxsCJbTVld17CK64OOTTc2VftL6ijsmvnZ0RWvcao4IFYTCC                                                            
BV0wHwYDVR0jBBgwFoAUQAlhZ/C8g3FP3hIILG/U1Ct2PZYwHQYDVR0OBBYEFBDT                                                            
RmnKk0YMmNRRbt+dVuE0KkJ1MA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAA                                                            
MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysG                                                            
AQQBsjEBAgIHMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5j                                                            
b20vQ1BTMAgGBmeBDAECATBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLmNv                                                            
bW9kb2NhNC5jb20vQ09NT0RPRUNDRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZl                                                            
ckNBMi5jcmwwgYgGCCsGAQUFBwEBBHwwejBRBggrBgEFBQcwAoZFaHR0cDovL2Ny                                                            
dC5jb21vZG9jYTQuY29tL0NPTU9ET0VDQ0RvbWFpblZhbGlkYXRpb25TZWN1cmVT                                                            
ZXJ2ZXJDQTIuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC5jb21vZG9jYTQu                                                            
Y29tMIIDqAYDVR0RBIIDnzCCA5uCG3NuaTEzNzAwMy5jbG91ZGZsYXJlc3NsLmNv                                                            
bYISKi5iZWxhamFyYmFoYXNhLnVzggwqLmJ1Y2hiZWUuY2aCDiouYnVjaG1ha2Vy                                                            
LmNmghAqLmJ1cm5lb29vbzc3Lm1sghQqLmNsb3Roc2hvZXNwcHRqLmNvbYIMKi5k                                                            
aWxsbm90LmNmghEqLmV0aGl4ZGVzaWduLmNvbYISKi5ldXJvLW5hdXRpY2EuY29t                                                            
ghwqLmdkdGJvZHl0cmFuc2Zvcm1hdGlvbnMuY29tghAqLmdlcmFyZG5pY28uY29t                                                            
ggwqLmdzZzM5NS5jb22CDCouZ3N6NzE1LmNvbYITKi5pcGlja3lvdXJtZWRpYS5j                                                            
ZoIMKi5pdHMtMzY1LnJ1gg8qLm5pcmFsbW92aWUubWyCEioub3JnYW5pY2FyZ2Fu                                                            
Lm5ldIITKi5wYXVsbWVlaGFuYXJ0LmNvbYILKi5wbHJwZGYuZ3GCESoucHV5ZW5n                                                            
LmRvd25sb2FkghAqLnJlYWwtZm9vZHMubmV0ggwqLnJpYm9ueS5vcmeCCyouc2pi                                                            
b29rLmdxgg8qLnN0YXJlcGxheS5jb22CESouc3VnZ2VzdC11cmwub3JnghEqLnRh                                                            
aXdhbmZmYWlyLmNvbYIMKi50b2xnYXkueHl6gg4qLnR3dHRlbXB0LmNvbYIQYmVs                                                            
YWphcmJhaGFzYS51c4IKYnVjaGJlZS5jZoIMYnVjaG1ha2VyLmNmgg5idXJuZW9v                                                            
b283Ny5tbIISY2xvdGhzaG9lc3BwdGouY29tggpkaWxsbm90LmNmgg9ldGhpeGRl                                                            
c2lnbi5jb22CEGV1cm8tbmF1dGljYS5jb22CGmdkdGJvZHl0cmFuc2Zvcm1hdGlv                                                            
bnMuY29tgg5nZXJhcmRuaWNvLmNvbYIKZ3NnMzk1LmNvbYIKZ3N6NzE1LmNvbYIR                                                            
aXBpY2t5b3VybWVkaWEuY2aCCml0cy0zNjUucnWCDW5pcmFsbW92aWUubWyCEG9y                                                            
Z2FuaWNhcmdhbi5uZXSCEXBhdWxtZWVoYW5hcnQuY29tgglwbHJwZGYuZ3GCD3B1                                                            
eWVuZy5kb3dubG9hZIIOcmVhbC1mb29kcy5uZXSCCnJpYm9ueS5vcmeCCXNqYm9v                                                            
ay5ncYINc3RhcmVwbGF5LmNvbYIPc3VnZ2VzdC11cmwub3Jngg90YWl3YW5mZmFp                                                            
ci5jb22CCnRvbGdheS54eXqCDHR3dHRlbXB0LmNvbTAKBggqhkjOPQQDAgNJADBG                                                            
AiEAt0eJnUQu0fj55Jbq1dhjv7zmhJNsTEowx0ApbLFlpiQCIQCtJ5jyklj7Ic65                                                            
opXIMhs5N0wzGv7d38VJqSXgFJcWug==                                                                                            
-----END CERTIFICATE-----                                                                                                   
 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO ECC Domain Validation Secure Server CA 2           
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO ECC Certification Authority                        
-----BEGIN CERTIFICATE-----                                                                                                 
MIIDnzCCAyWgAwIBAgIQWyXOaQfEJlVm0zkMmalUrTAKBggqhkjOPQQDAzCBhTEL                                                            
MAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UE                                                            
BxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxKzApBgNVBAMT                                                            
IkNPTU9ETyBFQ0MgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTQwOTI1MDAw                                                            
MDAwWhcNMjkwOTI0MjM1OTU5WjCBkjELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdy                                                            
ZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09N                                                            
T0RPIENBIExpbWl0ZWQxODA2BgNVBAMTL0NPTU9ETyBFQ0MgRG9tYWluIFZhbGlk                                                            
YXRpb24gU2VjdXJlIFNlcnZlciBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD                                                            
QgAEAjgZgTrJaYRwWQKOqIofMN+83gP8eR06JSxrQSEYgur5PkrkM8wSzypD/A7y                                                            
ZADA4SVQgiTNtkk4DyVHkUikraOCAWYwggFiMB8GA1UdIwQYMBaAFHVxpxlIGbyd                                                            
nepBR9+UxEh3mdN5MB0GA1UdDgQWBBRACWFn8LyDcU/eEggsb9TUK3Y9ljAOBgNV                                                            
HQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHSUEFjAUBggrBgEF                                                            
BQcDAQYIKwYBBQUHAwIwGwYDVR0gBBQwEjAGBgRVHSAAMAgGBmeBDAECATBMBgNV                                                            
HR8ERTBDMEGgP6A9hjtodHRwOi8vY3JsLmNvbW9kb2NhLmNvbS9DT01PRE9FQ0ND                                                            
ZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNybDByBggrBgEFBQcBAQRmMGQwOwYIKwYB                                                            
BQUHMAKGL2h0dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NPTU9ET0VDQ0FkZFRydXN0                                                            
Q0EuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC5jb21vZG9jYTQuY29tMAoG                                                            
CCqGSM49BAMDA2gAMGUCMQCsaEclgBNPE1bAojcJl1pQxOfttGHLKIoKETKm4nHf                                                            
EQGJbwd6IGZrGNC5LkP3Um8CMBKFfI4TZpIEuppFCZRKMGHRSdxv6+ctyYnPHmp8                                                            
7IXOMCVZuoFwNLg0f+cB0eLLUg==                                                                                                
-----END CERTIFICATE-----                                                                                                   
 2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO ECC Certification Authority                        
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root                                      
-----BEGIN CERTIFICATE-----                                                                                                 
MIID0DCCArigAwIBAgIQQ1ICP/qokB8Tn+P05cFETjANBgkqhkiG9w0BAQwFADBv                                                            
MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFk                                                            
ZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBF                                                            
eHRlcm5hbCBDQSBSb290MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFow                                                            
gYUxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO                                                            
BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMSswKQYD                                                            
VQQDEyJDT01PRE8gRUNDIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MHYwEAYHKoZI                                                            
zj0CAQYFK4EEACIDYgAEA0d7L3XJghWF+3XkkRbUq2KZ9T5SCwbOQQB/l+EKJDwd                                                            
AQTuPdKNCZcM4HXk+vt3iir1A2BLNosWIxatCXH0SvQoULT+iBxuP2wvLwlZW6Vb                                                            
CzOZ4sM9iflqLO+y0wbpo4H+MIH7MB8GA1UdIwQYMBaAFK29mHo0tCb3+sQmVO8D                                                            
veAky1QaMB0GA1UdDgQWBBR1cacZSBm8nZ3qQUfflMRId5nTeTAOBgNVHQ8BAf8E                                                            
BAMCAYYwDwYDVR0TAQH/BAUwAwEB/zARBgNVHSAECjAIMAYGBFUdIAAwSQYDVR0f                                                            
BEIwQDA+oDygOoY4aHR0cDovL2NybC50cnVzdC1wcm92aWRlci5jb20vQWRkVHJ1                                                            
c3RFeHRlcm5hbENBUm9vdC5jcmwwOgYIKwYBBQUHAQEELjAsMCoGCCsGAQUFBzAB                                                            
hh5odHRwOi8vb2NzcC50cnVzdC1wcm92aWRlci5jb20wDQYJKoZIhvcNAQEMBQAD                                                            
ggEBAB3H+i5AtlwFSw+8VTYBWOBTBT1k+6zZpTi4pyE7r5VbvkjI00PUIWxB7Qkt                                                            
nHMAcZyuIXN+/46NuY5YkI78jG12yAA6nyCmLX3MF/3NmJYyCRrJZfwE67SaCnjl                                                            
lztSjxLCdJcBns/hbWjYk7mcJPuWJ0gBnOqUP3CYQbNzUTcp6PYBerknuCRR2RFo                                                            
1KaFpzanpZa6gPim/a5thCCuNXZzQg+HCezF3OeTAyIal+6ailFhp5cmHunudVEI                                                            
kAWvL54TnJM/ev/m6+loeYyv4Lb67psSE/5FjNJ80zXrIRKT/mZ1JioVhCb3ZsnL                                                            
jbsJQdQYr7GzEPUQyp2aDrV1aug=                                                                                                
-----END CERTIFICATE-----                                                                                                   
---

3.3 - Check

The verification of the chain verify each certificate beginning at the top. From the root to the leaf

Example:

openssl s_client -connect gerardnico.com:443 -servername gerardnico.com -showcerts
  • Certificate chain verification
Loading 'screen' into random state - done
CONNECTED(000001A4)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify return:1
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO ECC Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO ECC Domain Validation Secure Server CA 2
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL Multi-Domain, CN = sni137003.cloudflaressl.com
verify return:1
Advertising
security/key/chain.txt · Last modified: 2018/02/16 21:45 by gerardnico