Red Hat DocumentationFuse ESBToggle FramesPrintFeedback

Certificate Chaining

Certificate chain

A certificate chain is a sequence of certificates, where each certificate in the chain is signed by the subsequent certificate.

Self-signed certificate

The last certificate in the chain is normally a self-signed certificate—a certificate that signs itself.


Figure 1 shows an example of a simple certificate chain.

Figure 1. A Certificate Chain of Depth 2

a certificate chain of depth 2 has only one CA signature

Chain of trust

The purpose of a certificate chain is to establish a chain of trust from a peer certificate to a trusted CA certificate. The CA vouches for the identity in the peer certificate by signing it. If the CA is one that you trust (indicated by the presence of a copy of the CA certificate in your root certificate directory), this implies you can trust the signed peer certificate as well.

Certificates signed by multiple CAs

A CA certificate can be signed by another CA. For example, an application certificate could be signed by the CA for the finance department of Progress Software, which in turn is signed by a self-signed commercial CA. Figure 2 shows what this certificate chain looks like.

Figure 2. A Certificate Chain of Depth 3

a certificate chain of depth 3 has two CA signatures

Trusted CAs

An application can accept a peer certificate, provided it trusts at least one of the CA certificates in the signing chain.

See Specifying Trusted CA Certificates.

Comments powered by Disqus