Certificate Chaining

Figure 25-2 demonstrates the concept of certificate chaining. It shows a tree where a Leaf Certificate Authority issues certificates to the end entity, which is the end user or subject. The end entity could be a system, user , or server. The Intermediate CA is the CA between the Leaf CA and Root CA. There could be multiple Intermediate CAs between the Root CA and Leaf CA. The number of CAs that are traversed from one end entity to the next is the path length .

Figure 25-2: Certificate chaining

The Root CA is the Trust Anchor for all CAs and the end entity. It is the most trusted anchor for all CAs. The Root CA is self-signed, meaning that the issuer and subject are the same value. The Root CA is the origin of a certificate tree. From Figure 25-2, the CA issuers will work from the top down to the end entity, each node trusting the higher node. The Root CA is a self-signed certificate because no other CA can issue the certificate to the root. The Root CA will issue the certificate to itself. The Root CA can issue certificates to the next level of Intermediate CAs.

The Intermediate CAs one level above the Leaf CAs will issue certificates to the Leaf CAs. When the Root CA issues a certificate, it will use its private key to encrypt the certificate, and the Intermediate CA will use the Root CA's public key to decrypt it. There is normally only one Trust Anchor per end entity, and it determines the path of the CAs because the certificate path must go through the Trust Anchor of the end entity. The Root CA will issue a certificate to all CAs to establish trust throughout the certificate path. Notice the tree-like structure of the certificate hierarchy. The X.500 protocol produces a directory tree-like structure following a similar hierarchy.