How SSL Certificate Chains Work: Does a Web Server Send Full Chain to Clients?


2 views

When establishing a TLS connection, web servers are required to send the complete certificate chain up to - but not including - the root CA certificate. In your Apache setup with Verisign certificates, this means:

Server sends:
- Leaf certificate (yourdomain.com)
- Intermediate CA certificate(s)
But NOT the root CA certificate

The chain construction follows RFC 5246 (TLS 1.2) specifications where servers must provide sufficient certificates for path validation.

Modern browsers like Chrome perform these validation steps:

  1. Verify the leaf certificate's signature against the intermediate
  2. Check if any intermediate needs to be downloaded (rare cases)
  3. Match the root CA with its trust store
// Example OpenSSL verification command
openssl verify -CAfile /path/to/trusted_certs.pem -untrusted intermediate.crt leaf.crt

For your LAMP development environment without internet:

  • Clients don't need online verification if:
    • The root CA is in the local trust store
    • The server sent complete intermediates
  • OCSP/CRL checks will fail but most clients have soft-fail behavior

Ensure proper chain configuration in Apache:

# httpd.conf or ssl.conf
SSLCertificateFile /path/to/your_domain.crt
SSLCertificateKeyFile /path/to/your_domain.key
SSLCertificateChainFile /path/to/intermediate.crt  # Older Apache
# OR for newer versions:
SSLCertificateFile /path/to/combined.crt  # Contains leaf + intermediates

Verify your chain using:

openssl s_client -connect yourdomain:443 -showcerts | openssl x509 -noout -text

Common symptoms of incomplete chains:

SSL_ERROR_BAD_CERT_DOMAIN
ERR_CERT_AUTHORITY_INVALID
"Trust anchor not found" errors

Test your configuration with:

curl -v https://yourdomain.com
# Look for "SSL certificate verify ok"

When a web server (like Apache or Nginx) establishes a TLS connection, it sends the entire certificate chain to the client by default. This includes:

1. The leaf certificate (your server's certificate)
2. Any intermediate certificates
3. (Optionally) the root certificate

Most servers are configured to send the chain automatically. Here's a typical Apache configuration snippet:

SSLCertificateFile /path/to/your_domain_name.crt
SSLCertificateKeyFile /path/to/your_private.key
SSLCertificateChainFile /path/to/intermediate_certificate.crt

Modern browsers like Chrome follow this verification process:

  1. Verify the leaf certificate's signature using the intermediate certificate
  2. Check if the intermediate is signed by a trusted root
  3. Validate certificate expiration and revocation status (via OCSP/CRL)

Clients don't need to download certificates they already trust. The root CA certificate is typically pre-installed in the browser's trust store.

When a client can't contact the CA (like Verisign in your example):

  • The browser uses cached intermediate certificates if available
  • OCSP stapling (if configured) provides revocation status without online checks
  • Without internet, the browser may show a warning if hard-fail revocation checking is enabled

Example of OCSP stapling in Apache:

SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling_cache(128000)"

To ensure proper certificate chain handling:

# Test your chain with OpenSSL:
openssl s_client -connect yourdomain.com:443 -showcerts

Common issues to watch for:

  • Missing intermediate certificates in server configuration
  • Incorrect chain order (should be leaf → intermediate → root)
  • Expired or misconfigured OCSP stapling

Use these tools to verify your setup:

# Check certificate chain completeness:
openssl verify -untrusted intermediate.crt your_domain.crt

# Test OCSP response:
openssl s_client -connect example.com:443 -status 2>&1 | grep -i "OCSP response"

Remember that proper chain configuration is crucial for both security and compatibility across different client devices and browsers.