Chain of Trust: Decoding SSL Certificate Security Architecture

The chain of trust is a fundamental concept in digital security that underpins the reliability and authenticity of SSL/TLS certificates used to secure online communications. It establishes a hierarchical structure of trust, starting from a trusted root Certificate Authority (CA) and extending down to the end-entity certificate used by a website or service.

This chain is important for several reasons. First of all, it allows for the scalable distribution of trust across the internet. Instead of requiring every device to trust millions of individual certificates, they only need to trust a small number of root CAs. Second, it provides a mechanism for verifying the authenticity of certificates. When a browser encounters a certificate, it can trace the chain back to a trusted root, ensuring that each link in the chain is valid and trustworthy. This process helps prevent man-in-the-middle attacks and other forms of certificate fraud. Additionally, the chain of trust enables the revocation of compromised certificates without undermining the entire system. If an intermediate CA is compromised, only the certificates issued by that CA need to be revoked, rather than all certificates issued by the root CA. This flexibility and security make the chain of trust an essential component of modern internet security.

Understanding the Chain of Trust

The chain of trust is a hierarchical structure of digital certificates that validates the authenticity of a certificate. This chain typically consists of three main components:

1. Root Certificate Authority (Root CA)
2. Intermediate Certificate Authority (Intermediate CA)
3. End-entity Certificate (Server or Client Certificate)

Root Certificate Authority (Root CA)

The Root CA sits at the top of the trust hierarchy. It is a self-signed certificate, meaning it vouches for its own authenticity. Root CAs are implicitly trusted by web browsers and operating systems. They are responsible for issuing certificates to Intermediate CAs and, in some cases, directly to end-entities.

Key characteristics of Root CAs:

• Self-signed certificates
• Stored securely offline to prevent compromise
• Long validity periods (typically 20–30 years)
• Highly trusted and recognized globally

Intermediate Certificate Authority (Intermediate CA)

Intermediate CAs bridge the gap between Root CAs and end-entity certificates. They are issued by Root CAs and, in turn, issue certificates to end-entities or other Intermediate CAs. The use of Intermediate CAs enhances security by allowing the Root CA to remain offline while the Intermediate CA handles day-to-day certificate issuance.

Key characteristics of Intermediate CAs:

• Issued by Root CAs
• Can issue certificates to end-entities or other Intermediate CAs
• Shorter validity periods than Root CAs (typically 10–15 years)
• Enhance security and flexibility in certificate management

End-entity Certificate

This is the certificate issued to a specific entity, such as a website or email server. It’s the certificate that end-users interact with when visiting a secure website or sending encrypted email.

Key characteristics of End-entity Certificates:

• Issued by Intermediate CAs or, occasionally, Root CAs
• Shortest validity period (typically 1–2 years)
• Contains information about the entity it represents (e.g., domain name for websites)

SSL Chain of trust generated using Eraser

Role in Security

The chain of trust plays a crucial role in ensuring the security and integrity of online communications:

1. Authentication : It verifies the identity of the certificate holder, ensuring that you’re communicating with the intended party.
2. Integrity : It ensures that the certificate hasn’t been tampered with or altered in transit.
3. Encryption : While not directly responsible for encryption, a valid certificate chain is necessary for establishing encrypted connections.
4. Revocation : If a certificate in the chain is compromised, it can be revoked, invalidating all certificates below it in the chain.

Tools to Check Chain of Trust and Certificate Validity

Several tools are available to verify the chain of trust and validate certificates:

OpenSSL

OpenSSL is a versatile command-line tool that can perform various SSL/TLS-related tasks.

To check a certificate chain:

openssl s_client -connect example.com:443 -showcerts

This command will display the entire certificate chain and highlight any issues.

Certificate Checker Tools

Many online services provide comprehensive certificate checking capabilities:

1. SSL Labs Server Test : Offers in-depth analysis of SSL/TLS configurations.
2. DigiCert Certificate Inspector : Scans for certificate issues across your entire network.
3. Qualys SSL Server Test : Provides detailed information about SSL/TLS configuration and potential vulnerabilities.

Browser Developer Tools

Modern web browsers include developer tools that can display certificate information:

1. Click on the padlock icon in the address bar.
2. Select “Certificate” or a similar option.
3. Review the certificate details, including the chain of trust.

Certificate Validation Process

When a client connects to a server, it performs several checks to validate the certificate:

1. Signature Verification : The client verifies each certificate’s digital signature in the chain, starting from the end-entity certificate up to the Root CA.
2. Trust Anchor Check : The client checks if the Root CA is in its list of trusted root certificates.
3. Validity Period : The client ensures all certificates in the chain are within their validity periods.
4. Revocation Check : The client may check if any certificates in the chain have been revoked using Certificate Revocation Lists (CRLs) or Online Certificate Status Protocol (OCSP).
5. Name Matching : For the end-entity certificate, the client verifies that the certificate’s Subject Alternative Name (SAN) or Common Name (CN) matches the domain being accessed.

Common Issues in Certificate Chain Validation

1. Incomplete Chain : The server doesn’t provide all necessary intermediate certificates.
2. Expired Certificates : One or more certificates in the chain have expired.
3. Revoked Certificates : A certificate in the chain has been revoked.
4. Name Mismatch : The server’s certificate doesn’t match the domain name being accessed.
5. Untrusted Root : The Root CA isn’t in the client’s list of trusted roots.

The testssl.sh tool is a powerful, open-source command-line utility for testing SSL/TLS enabled servers. It provides comprehensive information about a server’s SSL/TLS configuration, including supported protocols, ciphers, and certificate details. This tool is particularly useful for administrators and security professionals looking to assess the security of their SSL/TLS implementations.

./testssl.sh --jsonfile-pretty SSL_test.json https://example.com:443/

While running ./testssl.sh, if you see an error Chain of trust — NOT ok , you need to check whether intermediate certificates are supplied and are part of the chain of trust.

If you are supplying all the certificates including the intermediate certificate but still seeing the error, supply the certificates to the testssh using the add-ca flag pointing to the folder with all the certificates in the chain of trust

./testssl.sh --add-ca ~/Downloads/amc-private-certificate --jsonfile-pretty SSL_test.json https://example.com:443/

The result should now be

{
    "id": "cert_chain_of_trust",
    "severity": "OK",
    "finding": "passed."
}

Conclusion

Understanding the chain of trust and regularly validating certificates is crucial for maintaining a secure online environment. By utilizing the tools and knowledge discussed, you can ensure that your digital certificates are properly configured and trusted, thereby safeguarding your online communications and transactions.

---