Setting up HTTPS sounds simple and often times it can be. But when you have a project that requires a deeper understanding it can be a little overwhelming trying to grasp all that data at once. My goal right now is to shed some light on what is what so as to help you understand what it is you need to actually make stuff work. Look at this as a short pre-research guide to give you some context so that when you go read something you know what they are talking about.
There are 3 main certificates involved in securing a website:
- Root Certificate Authority (Root CA)
- Intermediate Certificate Authority (Intermediate CA)
- Issued Certificate (IC)
There are also certificate chains: Intermediate Chain and Full Chain:
- Intermediate Chain is a single file that consists of:
- Issued Certificate
- Intermediate CA’s Certificate.
- Full Chain is a single file that consists of:
- Issued Certificate
- Intermediate CA’s Certificate
- Root CA’s Certificate.
When you go to place your SSL Certificate on a server, you are typically going to place either the Intermediate Chain or Full Chain file on the server, usually not just your certificate alone. It’s usually safe to use the full chain file for most uses, but the following information should help you understand why you would use one chain file over another.
A Root CA is a company that is in the business of signing Intermediate Certificates. We can use the term Root CA to refer to the company or the certificate itself, depending on context. There are basically a few hundred Root CAs out there today (wiki/Certificate_authority). Essentially the Root CA releases a certificate which acts much like a public key, and this key can be used to verify a signature on another certificate. Only a Root CA has the ability to sign an Intermediate Certificate, which they do with their “Private Key” (which is paired with their Public Key certificate). Many Root CAs will sign each others certificates so that you have many trusted sources all agreeing together who is a trusted Root CA.
The reason a Root Certificate Authority is in the position of being trusted is arbitrary. We trust them because that is their role and everyone else agreed to trust them. If a Root CA abuses our trust, other Root CAs will revoke their trust and the untrustworthy Root CA will be pushed out of the circle of trust. This is important to understand at a high level because this is one way that we know how we can trust a given certificate or not, by seeing who signed it and asking the question, do we trust them? And, how do we know who they are? I’ll come to that in the last paragraph.
Now, an Intermediate Certificate Authority (Intermediate CA) is much like a Root CA except an Intermediate CA certificate is signed by a Root CA, which means that if the Root CA is trusted then that trust is imparted to the Intermediate CA. I is one of the jobs of the SSL / TLS protocol to go out and verify who signed who and make sure these people are trustworthy. Just having a certificate with a signature doesn’t mean much by itself.
Finally, we come to Issued Certificate or just SSL Certificate if you like. You might even call it TLS Certificate because technically SSL suffers from an exploitable bug called Heartbleed and is no longer used. Yeah, technically SSL is no longer used, now it’s TLS. If you use the term “SSL” people will still know what you are talking about though. Anyways, point is, you can get one of these certificates for your website (or other communication protocols). And you can even get one for free from Let’s Encrypt. When you apply for one of these certificates the Intermediate CA will usually require you to prove you own the domain by proving you have access to place a file in the root directory or even access to the domains DNS. This next part is important: you are trusted by the Intermediate CA because your domain name is bound to your Issued Certificate and you proved that you own the domain, the TLS protocol ensures that your certificate is only valid on your domain. So when you put your Issued Certificate on your site and enable HTTPS (which is a whole other ordeal), your visitors web browsers will see your Issued Certificate for your domain, signed by an Intermediate CA, which is signed by a Root CA. The chain of trust is complete and you are in the circle of trust! You are now trusted by the people who are already trusted. But we have one last thing that is critical to all of this working correctly…
Prove it to me
There is one one way to know who to trust and who not to trust at the most foundational level: You’ve gotta have a record of who is trustworthy already on your computer.
Ultimately this all works because you have a list of trusted Root CA’s in your browser or elsewhere on your computer. This list is typically updated on your operating system one way or another automatically through system updates. If you are a software developer writing code that communicates to endpoints over HTTPS, you may have more than one collection of trusted Root CA’s. This list can be updated to include your own Root CA certificate if desired. You can then distribute this “Self-signed Root CA” to the computers who you want to trust that Root CA. This allows you to sign your own certificates for whatever purpose you have – Security inside of your network, other arbitrary communication protocols, others privacy concerns, sniffing all data going in and out of your network over HTTPS, etc. But that is a topic for another time.