Chained and single Root certificates

Every Certification Authority (CA) has its root certificate. Root certificate is self-signed certificate that identifies the issuer of digital certificates (CA). To enhance security of root certificates CAs create intermediate certificates (for example, for specific type of certificates they issue). There might be couple of intermediate certificates. The sequence of root and intermediate certificates belonging to CA is called 'chain'. Each certificate in the chain is signed by the subsequent certificate. In this scheme, webserver certificate (the one that is to be installed on webserver where user's site is hosted) is signed not by root certificate directly but by one of intermediates.

Unlikely to chained certificates, single root ones are signed directly by root certificate of CA. Currently most of CAs are abandoning this technique. According to NIST guidelines, as well as the policies of Mozilla, Microsoft and other browser and platform vendors usage of chained certificates provides higher level of security.

Browsers and other web applications usually ship root certificates only. This means that they will not recognize webserver certificate as valid unless all intermediates are installed. To make chained certificate work one would need to install all certificates from the 'chain'. Chained certificate installation is rather simple process. The installation instructions are available in manuals for webservers as well as on support sites of CAs.

Important: Sectigo (former Comodo) CA currently has two versions of the "USERTrust RSA Certification Authority" SHA-2 root certificate. First one is cross-signed by the old SHA1 "AddTrust External CA Root" certificate and is included to the default CA Bundle provided along with the issued certificates. This should help the browsers to get acquainted to the new root certificate as the old root is widely trusted and can be a guarantee for the whole chain.

The other version is not cross-signed by any other certificate and is a self-signed SHA2 root certificate in fact. It is expected that by the time the old "AddTrust External CA Root" certificate expires (on May 2020), the new root will become trusted by most of the browsers. Then, the chains that contain this new root (not cross-signed) will become actual.

36146 times

Need help? We're always here for you.