How Certificate Trust Chains Work
How Certificate Trust Chains Work
Certificate trust operates through a hierarchical chain from server certificates through intermediate CAs to root CAs. Browsers ship with pre-installed root CA certificates from trusted authorities like DigiCert, Let's Encrypt, and GlobalSign. Server certificates must chain back to these roots through valid signatures.
Verify certificate chains using:
# Display complete certificate chain
openssl s_client -showcerts -connect example.com:443 < /dev/null
# Verify chain validity
openssl verify -CAfile <(curl -s https://letsencrypt.org/certs/isrgrootx1.pem) -untrusted intermediate.crt server.crt
# Test with specific CA bundle
curl --cacert ca-bundle.crt https://example.com