= What are certificate chains? = Certificate chains are (daisy) chained certificates. They are most often used in secure web servers, where the 'root CA' is a globally known CA certificate , such as GlobalTrust or VeriSign. A certificate chain can be depicted using ASCII art: {{{ root-CA + sub-CA1 + sub-CA2 + SSL server certificate + SSL client certificate }}} The dependency of the "SSL server certificate" on the "sub-CA2" certificate, which in turn depends on the "sub-CA1" certificate which depends on the "root-CA" certificate is what makes this a certificate '''chain''' = Certificate chains versus stacked certificates = A certificate chain has a dependency between the different elements. A stacked certificate means that a bunch of certificates have been stacked together. OpenVPN supports both. When using certificates signed by multiple CAs it is often sufficient to simply stack the different CA certificates together: {{{ $ cat ca1.crt ca2.crt ca3.crt > stacked.crt }}} and use them in the OpenVPN configuration using {{{ ca stacked.crt }}} '''Imporant notice''': All certificates which are signed by '''any''' of the CA certificates found in the 'stacked.crt' file are considered valid. Thus, be very careful when adding CA certificates to a stacked certificate. Certificate ''chains'' are very similar but here the client (or server) certificate itself and its sub-CA certificates are stacked together, as will be explained in the following section. = How to use certificate chains in OpenVPN = 1. Consider the following CA setup: * the 'root CA' certificate is 'ca.crt' * the server certificate is signed by the root CA * a separate sub-CA or intermediary CA is created, which is also signed by the root CA * the client certificates are signed by the sub-CA. This can be depicted using some ASCII-art: {{{ ca.crt --- server.crt +-- sub-ca.crt --- client.crt }}} 2. Create a chained certificate by concatenating the client.crt and sub-ca.crt file in the right order: {{{ $ cat client.crt sub-ca.crt > chained.crt }}} 3. Configure the OpenVPN server using {{{ ca ca.crt cert server.crt }}} 4. Configure the clients using {{{ ca ca.crt cert chained.crt }}} then the server will accept connections from the client even though it does not directly have access to the sub-ca.crt file.