What are certificate chains?

Certificate chains are (daisy) chained certificates. They are most often used in secure web servers, where the 'root CA' is a globally known CA certificate , such as GlobalTrust? or VeriSign?.

A certificate chain can be depicted using ASCII art:

    + sub-CA1
        + sub-CA2
            + SSL server certificate
            + SSL client certificate

The dependency of the "SSL server certificate" on the "sub-CA2" certificate, which in turn depends on the "sub-CA1" certificate which depends on the "root-CA" certificate is what makes this a certificate chain.

Certificate chains versus stacked certificates

A certificate chain has a dependency between the different elements. A stacked certificate means that a bunch of certificates have been stacked together, without any interdependence between them. OpenVPN supports both. When using certificates signed by multiple CAs it is often sufficient to simply stack the different CA certificates together:

  $ cat ca1.crt ca2.crt ca3.crt > stacked.crt

and use them in the OpenVPN configuration using

  ca stacked.crt

Imporant notice: All certificates which are signed by any of the CA certificates found in the 'stacked.crt' file are considered valid. Thus, be very careful when adding CA certificates to a stacked certificate.

Certificate chains are very similar but here the client (or server) certificate itself and its sub-CA certificates are stacked together, as will be explained in the following section.

How to use certificate chains in OpenVPN

  1. Consider the following CA setup:
    • the 'root CA' certificate is 'ca.crt'
    • the server certificate is signed by the root CA
    • a separate sub-CA or intermediary CA is created, which is also signed by the root CA
    • the client certificates are signed by the sub-CA.

This can be depicted using some ASCII-art:

ca.crt --- server.crt
       +-- sub-ca.crt --- client.crt
  1. Create a chained certificate by concatenating the 'client.crt' and 'sub-ca.crt' file in the right order:
      $ cat client.crt sub-ca.crt > chained.crt
  1. Configure the OpenVPN server using
      ca   ca.crt
      cert server.crt
  1. Configure the clients using
      ca   ca.crt
      cert chained.crt

The server will accept connections from the client even though it does not directly have access to the 'sub-ca.crt' file. This is very similar to how a web browser trusts a secure website, where the certificate chain has been signed by a CA certificate that the web browser knows (e.g. VeriSign?, GlobalTrust?, others).

Last modified 7 years ago Last modified on 05/02/11 10:29:59