Intermediate Certificate Chains

Context: The Wormly SSL Tester verifies whether a server has correctly installed all necessary intermediate certificates.

One of the features of the SSL certificate ecosystem is that the authority to sign certificates can be delegated down a chain.

Let’s use our domain name - www.wormly.com - as an example. Our certificate was issued by a certificate authority (CA) named “RapidSSL”.

However this authority is most likely not explicitly trusted by your browser or operating system.

RapidSSL utilizes a certificate signing key which is in turn certified by “GeoTrust Global”.

Because your browser or OS does explicitly trust GeoTrust Global, who in turn trusts RapidSSL, the end result is that you implicitly trust RapidSSL, and their assertion that we legitimately control the domain www.wormly.com.

The caveat is that our server must present to you both the www.wormly.com certificate (signed by RapidSSL), and also present RapidSSL's certificate (signed by GeoTrust Global) when a connection is established.

This is described as including the intermediate certificate(s).

If you fail to include the intermediate certificates, then the end user is presented with a certificate signed by a CA which they do not explicitly trust.

If the Wormly SSL Tester indicates that your certificate is not trusted, this is most likely the reason why.

But my browser accepts the certificate!

Indeed it does, but why? Most modern browsers will, when faced with a non-trusted certificate, examine the certificate for an extension named “Authority Information”. This extension will usually contain a URL to the missing intermediate certificate. The browser then fetches this certificate, and if it is trusted (i.e. signed by a trusted CA) the browser will be satisfied that it can trust your certificate as per the chaining process described above.

You should not rely on this behavior, most significantly because it substantially increases the length of time taken to establish the initial connection to your server - consider the time taken to make another HTTP request to retrieve the intermediate certificate from a 3rd party server.

Additionally, this behavior cannot be relied on to exist across all platforms that your users might utilize.

So be sure to install all necessary intermediate certificates on your web server! For the Apache HTTP server, the relevant configuration directive is:

SSLCACertificateFile /path/to/your/certificate_chain.pem

Downtime Hurts. Start monitoring and stop worrying.

Our monitoring service continually tests your servers & web sites to keep you online and performing fast. Fully-featured plans start from just $25 / month.

But don't listen to our spiel - Decide for yourself with a free trial »