LibraryLink ToToggle FramesPrintFeedback

Certificate Chaining

A certificate chain is a sequence of certificates, where each certificate in the chain is signed by the subsequent certificate.

The last certificate in the chain is normally a self-signed certificate—a certificate that signs itself.

Figure 2.1 shows an example of a simple certificate chain.

The purpose of a certificate chain is to establish a chain of trust from a peer certificate to a trusted CA certificate. The CA vouches for the identity in the peer certificate by signing it. If the CA is one that you trust (indicated by the presence of a copy of the CA certificate in your root certificate directory), this implies you can trust the signed peer certificate as well.

A CA certificate can be signed by another CA. For example, an application certificate could be signed by the CA for the finance department of Progress Software, which in turn is signed by a self-signed commercial CA. Figure 2.2 shows what this certificate chain looks like.

An application can accept a peer certificate, provided it trusts at least one of the CA certificates in the signing chain.