= What are certificate chains? = Certificate chains are (daisy) chained certificates. They are most often used in secure web servers, where the 'root CA' is a globally known CA certificate , such as GlobalTrust or VeriSign. A certificate chain can be depicted using ASCII art: {{{ root-CA + sub-CA1 + sub-CA2 + SSL server certificate + SSL client certificate }}} The dependency of the "SSL server certificate" on the "sub-CA2" certificate, which in turn depends on the "sub-CA1" certificate which depends on the "root-CA" certificate is what makes this a certificate '''chain'''. = Certificate chains versus stacked certificates = A certificate chain has a dependency between the different elements. A stacked certificate means that a bunch of certificates have been stacked together, without any interdependence between them. OpenVPN supports both. When using certificates signed by multiple CAs it is often sufficient to simply stack the different CA certificates together: {{{ $ cat ca1.crt ca2.crt ca3.crt > stacked.crt }}} and use them in the OpenVPN configuration using {{{ ca stacked.crt }}} '''Imporant notice''': All certificates which are signed by '''any''' of the CA certificates found in the 'stacked.crt' file are considered valid. Thus, be very careful when adding CA certificates to a stacked certificate. Certificate ''chains'' are very similar but here the client (or server) certificate itself and its sub-CA certificates are stacked together, as will be explained in the following section. = How to use certificate chains in OpenVPN = 1. Consider the following CA setup: * the 'root CA' certificate is 'ca.crt' * the server certificate is signed by the root CA * a separate sub-CA or intermediary CA is created, which is also signed by the root CA * the client certificates are signed by the sub-CA. This can be depicted using some ASCII-art: {{{ ca.crt --- server.crt +-- sub-ca.crt --- client.crt }}} 2. Create a chained certificate by concatenating the 'client.crt' and 'sub-ca.crt' file in the right order: {{{ $ cat client.crt sub-ca.crt > chained.crt }}} 3. Configure the OpenVPN server using {{{ ca ca.crt cert server.crt }}} 4. Configure the clients using {{{ ca ca.crt cert chained.crt }}} The server will accept connections from the client even though it does not directly have access to the 'sub-ca.crt' file. This is very similar to how a web browser trusts a secure website, where the certificate chain has been signed by a CA certificate that the web browser knows (e.g. VeriSign, GlobalTrust, others).