1. abstract

The aim is documenting the security/networking concept of certificate chain based on the superb Troubleshooting with Wireshark: Analyzing and Decrypting TLS Traffic in Wireshark (Using HTTPs)

2. Certificate Authority Server (CA)

  • certificate must be issued by a trusted party called Certificate Authority Server
  • certificate authority is public and acknowledged by vendors

3. cert chain

  • check any certificate within a browser (devtools 🠊 certificate 🠊 certificate path) and see the certificate chain consisting of
    • 1 root certificate
    • 1+ intermediate certificates
    • 1 server certificate


  • certificate chain is a chain of authority in certificates
  • we can do some mathematics to verify that the certificate was actually issued by a CA that is said it was (this verification is SIGNING)


4. root cert

  • in the order of hundreds (~150) globally


  • offline
  • in-OS
  • root certs create intermediate certificates (physically on the vendor’s side)
  • root certificate signs the intermediate certificate each session to guarantee its origins


  • you purchase root certificate from verified, publicly available HTTPS CA
    • Let’s Encrypt for Free
    • Verasign
    • Digicert …
  • the root certificate verifies that the server you are browsing to is actually the server it declares itself to be

5. intermediate certificate

  • in the order of thousands


  • root certificate creates intermediate certificate
  • root signs intermediate certificate with root certificate
  • the certificate authority server sends the intermetiade certificate to web browser organization
  • also, intermediate certificates are often included in OS updates
  • online
    • in-browser
    • downloaded to both client and the server from-CA-server as visualized below
    • only afterwards a server certificate is sent
    • sometimes, the intermediate cert is sent from the server as well (just in case CA server not accessible)
    • this being recommeneded as a best practice


6. server cert


  • online
    • in-browser
    • from-endpoint server
    • contains domain-name
  • passed during the session after it is signed by an intermediary cert
  • after it is verified that it is issued by the downloaded intermediate certificate
  • …it is downloaded
  • and public-private key exchange can begin

6.1. public key

  • 2 large prime numbers used for the public/private key exchange


6.2. verification information

  • certificate chain of authority that links particular domain(server) certificates to intermetiary to root certificates
  • you do computations to verify that certs were actually issued by who they claim to be issued by

6.3. URL

  • the domain the are certifying

6.4. expiry

  • date

7. expiry

  • all of the certificates have expiry dates
  • usually we talk about server cert expiry
  • check the expiry easily with openSSL
openssl s_client -connect | openssl x509 -noout -enddate
depth=1 C = US, O = DigiCert Inc, OU =, CN = DigiCert SHA2 High Assurance Server CA
verify error:num=20:unable to get local issuer certificate
notAfter=May 10 12:00:00 2022 GMT

8. sources