Chain of Trust (Me?)

Published on February 14, 2022 at 6:22 pm by LEW


When dealing with computer security, there is something that is known as a Chain of Trust. In principle, this Chain of Trust is suppose to ensure the integrity of our systems. This chain of trust involves signed certificates. I am sure most of you have gotten that browser warning about untrusted certificates. So it behooves us to understand something about these certificates.

My introduction to all this came some years ago when all of a sudden all the servers in my home lab refused to load properly. At that point non of them had certificates of any sort.

At that point I created a bunch of self signed certificates (A certificate I singed myself saying I created it and I trusted it). That worked for awhile, until I started getting the untrusted certificate error. Turned out self signed certificates where now a bad thing, which in a way is ironic (will explain why this later).

Doing a little research and experimentation, I found I could make my own local root certificate authority. However this was kind of counter productive, as I would need to install my root certificate on every browser I intended to use.

In the end I defaulted to using Lets Encrypt.

Certificate Authority and Root Certificate

What is referred to as the Root Certificate is at the highest level of the Chain of Trust. It belongs to a Certificate Authority (the ironic part is all root certificates are self signed).

All major browsers have a set of certificate authorities they trust. So they have a store of root certificates. If you dig into your browser settings under security, you should be able to find them.

Verisign, GeoTrust, and DigiCert are examples of root certificate authorities.

When I create my own local Certificate Authority, I imported my root certificate into the browser I was using, adding it to the certificate authorities already there.

Intermediate Certificate

An intermediate Certificate is singed by a certificate authority. Because the intermediate certificate is trusted (signed) by a certificate authority that the browser trusts, it also trusts the intermediate certificate. Go Daddy is an example of an intermediate certificate.

There can be multiple levels on intermediate certificates. If you buy a certificate, it generally comes from a holder of an intermediate certificate.

End User Certificate

If you have a certificate that was free or very low cost, it was signed by an intermediate certificate holder. Because your browser trusts the root certificate that signed the intermediate certificate, it trusts end user certificates signed by that intermediate certificate. This is the chain of trust.


Obviously there is a bit more to it, as this is a very high level view. The purpose here was to focus on what the chain of trust is, not the nuts and bolts of how it works.

In a future post I will bring this concept, and encryption together for a more in depth discussion on certificates.

Add New Comment

Your email address will not be published. Required fields are marked *