← Lessons

quiz vs the machine

Gold1410

Security

The Certificate Chain of Trust

How a root authority vouches for certificates through a verifiable chain.

5 min read · core · beat Gold to climb

Binding Identity to a Key

A public key alone says nothing about whose key it is. A certificate binds a public key to an identity such as a domain name, and a certificate authority signs that binding so others can trust it.

Following the Chain

Trust flows through a chain. A trusted root certificate signs intermediate certificates, which in turn sign the leaf certificate for a specific site. A client verifies each signature up the chain until it reaches a root it already trusts in its trust store.

Verification checks several things:

  • Each certificate is signed by the one above it.
  • The certificate is not expired and matches the expected name.
  • The certificate is not revoked, checked through revocation lists or status protocols.

If any link fails, the whole chain is untrusted and the connection should be refused rather than silently accepted.

Key idea

Trust in a certificate comes from a verifiable chain up to a trusted root, so validate every signature, name, expiry, and revocation status and refuse the connection if any link is broken.

Check yourself

Answer to earn rating on the learn ladder.

1. How does a client decide to trust a leaf certificate?

2. What should happen if one link in the chain fails verification?

3. What does a certificate primarily bind together?