Certificate Authority Chain: Mermaid Flowchart

Certificate Authority Chain flowchart diagram

About Source

A Certificate Authority (CA) chain — also called a chain of trust or certificate chain — is a hierarchical sequence of certificates linking an end-entity certificate (issued to a website or service) back to a trusted root certificate that browsers and operating systems ship with.

The chain has three tiers. At the top sit root CAs: self-signed certificates issued by organizations like DigiCert, Let's Encrypt, and Comodo that have been audited and accepted into the root stores of major browsers and operating systems. Root CA private keys are kept offline in hardware security modules (HSMs) inside physically secured facilities, because compromising a root CA would invalidate trust for potentially millions of certificates.

Because root keys are kept offline, day-to-day issuance is handled by intermediate CAs. A root CA signs an intermediate CA certificate, delegating the right to issue certificates within defined constraints. Intermediate CAs are online and active, but their certificates can be revoked if compromised without touching the root. Most certificate hierarchies use one or two intermediate CAs between the root and end-entity certificates.

End-entity certificates (also called leaf certificates) are issued by an intermediate CA to a specific domain, organization, or individual. When a server presents its certificate during a TLS handshake, it typically sends its end-entity certificate plus the intermediate CA certificate(s). The browser already has the root CA certificate in its trust store and can walk the chain: verify the end-entity certificate was signed by the intermediate, verify the intermediate was signed by the root, confirm the root is trusted.

If any certificate in the chain is expired, revoked, or has an invalid signature, the entire chain fails. This design means a compromised intermediate CA can be revoked and replaced while the root remains trusted. See TLS Certificate Validation for the runtime validation process, and Digital Signature Workflow for how the signing at each level works.

Frequently asked questions

A certificate authority chain is a hierarchical sequence of certificates linking an end-entity (leaf) certificate back to a trusted root CA. Each certificate in the chain is signed by the one above it, creating a verifiable path of trust that browsers can walk to confirm a certificate is legitimate.

Root CA private keys are kept strictly offline to protect against compromise. Intermediate CAs handle day-to-day issuance while online. If an intermediate CA is compromised, it can be revoked and replaced without invalidating the root or the entire PKI hierarchy.

If a server fails to send an intermediate CA certificate during the TLS handshake, the browser cannot complete the chain to a trusted root and will reject the connection with a certificate error, even if the end-entity certificate itself is valid.

A root CA is self-signed and pre-installed in browser and OS trust stores. It represents the ultimate anchor of trust and its key is kept offline. An intermediate CA has a certificate signed by the root (or another intermediate) and operates online to issue certificates to domains and services.

mermaid

flowchart TD
    RootCA["Root CA Certificate\n(Self-signed, in browser trust store)\nStored offline in HSM"]
    IntermCA1["Intermediate CA Certificate\n(Signed by Root CA)\nOnline, issues end-entity certs"]
    IntermCA2["Intermediate CA Certificate\n(Signed by Root CA)\nAlternate intermediate"]
    Leaf1["End-Entity Certificate\nDomain: example.com\n(Signed by Intermediate CA)"]
    Leaf2["End-Entity Certificate\nDomain: api.example.com\n(Signed by Intermediate CA)"]
    Browser["Browser / Client\nVerifies chain signature-by-signature"]
    TrustStore["OS / Browser Trust Store\nContains pre-installed root CA certs"]

    RootCA -->|Signs| IntermCA1
    RootCA -->|Signs| IntermCA2
    IntermCA1 -->|Signs| Leaf1
    IntermCA1 -->|Signs| Leaf2
    TrustStore -->|Contains| RootCA
    Browser -->|1. Receives| Leaf1
    Browser -->|2. Fetches / server-sends| IntermCA1
    Browser -->|3. Validates against| TrustStore