Education Center

What is a Certificate Chain?

Certificate chain (or Chain of Trust) is made up of a list of certificates that start from a server’s certificate and terminate with the root certificate. If your server’s certificate is to be trusted, its signature has to be traceable back to its root CA. In the certificate chain, every certificate is signed by the entity that is identified by the next certified along the chain.

2023 EMA Report: SSL/TLS Certificate Security-Management and Expiration Challenges

Trusted root CAs are a handful of CAs that are recognized by the clients by default. Server and intermediate certificates meanwhile could be signed by a CA that is not recognized by the browser. In such an event, the root CA could sign the intermediate CA, which in turn could sign the server certificate. Now if the client attempts a connection with a server that has a certificate signed by a trusted intermediate CA, the server’s certificates can be traced back to the root certificate through an intermediate certificate and is thus trusted by the client.

The certificate chain simplifies key management and certificate monitoring by “grouping” CAs into a tree-like structure, where verifying the top or root CA automatically verifies the whole chain.

Do you want to manage your machine identities better?