Version 2 (modified by 13 years ago) (diff) | ,
---|
What are certificate chains?
Certificate chains are (daisy) chained certificates. They are most often used in secure web servers, where the 'root CA' is a globally known CA certificate , such as GlobalTrust? or VeriSign?.
A certificate chain can be depicted using ASCII art:
root-CA + sub-CA1 + sub-CA2 + SSL server certificate + SSL client certificate
The dependency of the "SSL server certificate" on the "sub-CA2" certificate, which in turn depends on the "sub-CA1" certificate which depends on the "root-CA" certificate is what makes this a certificate chain
Certificate chains versus stacked certificates
A certificate chain has a dependency between the different elements. A stacked certificate means that a bunch of certificates have been stacked together. OpenVPN supports both. When using certificates signed by multiple CAs it is often sufficient to simply stack the different CA certificates together:
$ cat ca1.crt ca2.crt ca3.crt > stacked.crt
and use them in the OpenVPN configuration using
ca stacked.crt
Imporant notice: All certificates which are signed by any of the CA certificates found in the 'stacked.crt' file are considered valid. Thus, be very careful when adding CA certificates to a stacked certificate.
Certificate chains are very similar but here the client (or server) certificate itself and its sub-CA certificates are stacked together, as will be explained in the following section.
How to use certificate chains in OpenVPN
- Consider the following CA setup:
- the 'root CA' certificate is 'ca.crt'
- the server certificate is signed by the root CA
- a separate sub-CA or intermediary CA is created, which is also signed by the root CA
- the client certificates are signed by the sub-CA.
This can be depicted using some ASCII-art:
ca.crt --- server.crt +-- sub-ca.crt --- client.crt
- Create a chained certificate by concatenating the client.crt and sub-ca.crt file in the right order:
$ cat client.crt sub-ca.crt > chained.crt
- Configure the OpenVPN server using
ca ca.crt cert server.crt
- Configure the clients using
ca ca.crt cert chained.crt
The server will accept connections from the client even though it does not directly have access to the sub-ca.crt file. This is very similar to how a web browser trusts a secure website, where the ceritificate chain has been signed by a CA certificate that the web browser knows (e.g. VeriSign?, GlobalTrust?, others).