How to configure the chain of SSL certificates and why it is necessary

Installing an SSL certificate is an important step when switching to the secure protocol HTTPS — it ensures the safety of personal data. Such a website causes more trust among users. Also, the security of a web resource can affect its position in the search results.

As a rule, a single certificate is sufficient to encrypt the information sent between the visitor's browser and the server. However, some resources require greater reliability and multi-level protection. For example, a banking resource involves large financial transactions. In this case, an SSL certificate is required, which contains not only the certificate for the domain but the certificate chain (CA Bundle).

The SSL certificate chain includes certificates of guarantors confirming the validity of the document as a whole. The CA Bundle structure is as follows:

Each certificate in the chain has an electronic digital signature, linking it to the certificate one step below. Root CA is the top link in the certificate hierarchy. Clarification of CA (Certificate Authority) means that certificates are issued by a certification authority that confirms the authenticity of the encryption keys with this document.

The structure of the chain links depends on the type of certificate. As a rule, this sequence can be obtained along with a domain certificate by e-mail or downloaded on the website of the SSL provider that issued the certificate. In this case, the guarantor is a certification authority. The next step is to configure the SSL chain. There are two ways to do this.

To do this, place the certificate chain as a list in a text document. What the CA Bundle looks like can be seen in the example below — certificates with the .crt extension are placed in the specified sequence:

• CARoot.crt
  
• Intermediate1.crt
  
• Intermediate2.crt
  
• Intermediate3.crt
  
• domain.crt
  
  

The CARoot.crt file here is the root certificate; the Intermediate file bundle acts as intermediaries, domain.crt is a domain certificate. There can be many guarantors in the chain. The main task is to ensure that all links in the chain are digitally linked to each other.

The text file with the certificate chain should be saved as domain.ca-bundle.

In this line, you need to list the intermediary certificates in order and end the sequence by specifying the domain.ca-bundle file name.

Sometimes you can get a signal that the certificate chain is broken or incomplete. This, as a rule, indicates a problem with intermediate certificates — their absence in the chain, incorrect sequence, expiration of one of the certificates.

You can check the chain settings using online services. For example, SSL Shopper or SSL Checker.

To fix the error, you need to export each intermediate certificate in a chain and associate the Intermediate / chain with the root certificate. A correctly configured certificate chain will be a signal for the browser that the website can be trusted.

Another common mistake is the inability to build a certificate chain. This signals an internal error and is often associated with a lack of a valid root certificate. The solution to this problem is to install the root certificate of the Certification Authority.

A chain of certificates will be an additional way to confirm the reliability of a resource. Using the file structure, acting as guarantor, you can confirm the validity of the SSL certificate.

Setting up a chain and checking the correctness of its operation will expand the possibilities of using a web resource in various applications. Special online services will help you quickly identify errors in the chain.