What is SSL Certificate Chain – Explained by Certificate Authority

1 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 5 (1 votes, average: 5.00 out of 5, rated)

Are you wondering what is SSL certificate chain order or how does SSL certificate chain work? Do you want to find out about some SSL certificate chain examples? In this article, we explain everything you need to know about SSL certificate chain and how to purchase the best SSL certificates from trusted certificate authorities.

What is SSL Certificate Chain Order?

The SSL certificate chain order consists of root certificates, intermediate certificates, and the end-user certificate. Root CAs are a trusted source of certificates. Intermediate CAs are bridges that link the end-user certificate to the root CA. An SSL certificate chain order is the list of intermediate CAs leading back to a trusted root CA.

In order for an SSL certificate to be authenticated by the web browsers, it must be authentic and be issued by a trusted certificate authority that’s embedded in the browser’s trusted store. If your SSL certificate isn’t issued by a trusted certificate authority, i.e., if it isn’t issued by a Root CA, then the connecting device or web browser will continue to check if the issuing CA was issued by a root CA. It will keep going back down the SSL certificate chain order to find the root CA. If it finds a root CA, a secure connection will be established. If it doesn’t find a root CA, then the connection will be dropped, and your web browser will display an error message that reads “invalid certificate” or “certificate not trusted.”

How does SSL Certificate Chain Work?

As previously explained, an SSL certificate chain is the list of certificates that contains the SSL certificate, intermediate certificate authorities, and root certificate authority that enables the connecting device to verify that the SSL certificate is trustworthy. This SSL certificate chain begins with the SSL certificate and ends with the root certificate. All the intermediate certificates in between are links in the SSL certificate chain order.

In this chain, the intermediate certificate is the issuer of the SSL certificate and the root certificate is the issuer of the intermediate certificate. The intermediate certificate must be installed on the same server as the SSL certificate so that the connecting device (browsers, applications, mobile device, etc.) can trust it.

List of SSL Certificate Chain Example

Let’s try to visualize this chain through an SSL certificate chain example.

Let’s say you have purchased an SSL certificate for the domain examplewebsite.com from OriginalIssuer:

  • OriginalIssuer isn’t a root certificate authority so your web browser won’t immediately trust it.
  • However, OriginalIssuer uses a certificate issued by IntermediateIssuer1.
  • IntermediateIssuer1, in turn, uses a certificate issued by IntermediateIssuer2.
  • IntermediateIssuer2, in turn, uses a certificate issued by IntermediateIssuer3.
  • Finally, IntermediateIssuer3 uses a certificate issued by FinalRootIssuer, which is a root certificate authority and can be trusted.

In this case, the SSL certificate chain order will look something like this:

OriginalIssuer —> IntermediateIssuer1 —> IntermediateIssuer2 —> IntermediateIssuer3 —> FinalRootIssuer.

In this chain, OriginalIssuer is the certificate authority from which you directly purchased an end-user certificate to secure examplewebsite.com. FinalRootIssuer, the one at the end of the chain, is the root certificate authority, the one that legitimizes this entire chain. And all of the certificate authorities in between — IntermediateIssuer1, IntermediateIssuer2, IntermediateIssuer3 — are intermediate certificate authorities in this SSL certificate chain order.

When you install the SSL certificate for examplewebsite.com, all of these intermediate certificates must be bundled together and installed along with the end-user certificate. You don’t need to install the root CA certificate because it’s generally embedded in the connecting device’s trusted store already.

Purchase SSL Certificates from Trusted Certificate Authorities

Some of the most trustworthy root certificate authorities include RapidSSL, GeoTrust, Thawte, Symantec, and Comodo. These root certificates are embedded in the trusted store of over 99.9% of all devices and in the software package of all browsers. If you want to purchase SSL certificates from a reliable and trustworthy root certificate authority, you can go to CheapSSLSecurity for some of the best discounts on all certificate types.

Purchase a Comodo EV Multi-Domain SSL and Save 71%