Cyrptography - Certificate chain

Certificate Validity Period Not Before Not After Portecle


A certificate can have been issued (signed) by another CA creating a chain (or path). See certificate chain

There are several types of certificate:

  • root certificate. The root of the tree. (All root CA certificates are self signed)
  • intermediate certificate. The beginning of a branch of the tree (signed by the root)
  • the certificate. The leaf of the tree signed by the intermediate.



  • from the chrome dev tool (F12) > security.

Certification Chain Path Chrome Dev

  • Direct issuer (first level)
openssl x509 -noout -subject -issuer -in file.pem
subject= /
issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3


keytool -list -v -storetype jks -keystore truststore.jks -storepass changeit
Certificate chain length: 1

Show remotely

The shows the chain from the root to the leaf


openssl s_client -connect -servername -showcerts -prexit
  • Certificate chain verification
Loading 'screen' into random state - done
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify return:1
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO ECC Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO ECC Domain Validation Secure Server CA 2
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL Multi-Domain, CN =
verify return:1

Check / verify

See Certificat and chain verification

Discover More
Certificate Validity Period Not Before Not After Portecle
CA Certificate

A CA certificate is a certificate used by a certificate authority to sign certificate. In the chain, it's the Root certificate or the intermediate certificates. Most organizations create an intermediate...
Certificate Validity Period Not Before Not After Portecle
Certificat and chain verification

A certificate check is equivalent to an authentication. The signature of the certificate is verified with the public key to check if it was signed (issued) by a trusted party (usually a trusted...
Protecle Certificate Extensions
Certificates - Extensions (X509v3 extensions)

extensions are key values that are part of a certificate. They are also known as the X509v3 extensions because they are defined in the x509 certificate format. The most known and extension are: ...
Cryptography - PKCS12

PKCS12 is a pkcs version 12. PKCS12 (ie p12 extension) is intended to store both: the private key and public certificate parts It has the capability of being password protected to provide some...
Chrome Truststore
Cryptography - Truststore

A truststore is a store that is (used normally on the client side) when making decisions what to trust. If you receive data from an entity that you already trust, and if you can verify that the entity...
400 Default Page No Required Ssl Certificate
How to configure certification based client authentication with Nginx ?

This article shows you how to configure a client authentication via the ownership of a certificat on a Nginx web server. The server should be already configured for HTTPS as client certificate (client...
Certificate Validity Period Not Before Not After Portecle
Identification Material - Certificate (or Public Key Certificate)

A certificate is a document which permits to define with certainty the owner of the private key (ensures that the party you are communicating with is whom you think.) because it's digitally signed A certificate...
Certification Chain Path Chrome Dev
Root Certificate

A root certificate is a CA certificate that is located at the top of the certificate chain. A root ca is a certificate authority certificate that is self signed. This example shows you how to create...
Trust model - Certificate authorities (CA) or Trusted Third party (TTP)

certificate authorities are the a “gatekeeper” of public and private keys. They are also known as trusted third partytrusted third party (TTP) The primary role of the CA is to: digitally sign...

Share this page:
Follow us:
Task Runner