On 23 Apr 2014, at 2:23 PM, Kaushal Shriyan <kaushalshri...@gmail.com> wrote:
> I am new to SSL/TLS Certificates. Please help me understand what is the > difference between ROOT CA Certs and Intermediate Certs or Chain Certs. I > will appreciate if i can refer to some books or tutorials to know about > SSL/TLS technology. The closest thing you'll probably encounter in the real world to a digital certificate is a diploma or degree from an educational institution. Anyone can write "John Smith (PhD)" on a piece of paper, that doesn't indicate anything special or prove anything. We might improve that by writing "John Smith (PhD), Faculty of Philosophy" on that piece of paper, but again, which faculty of philosophy? Never heard of them. Still, the piece of paper is useless. We can however write "John Smith (PhD), Faculty of Philosophy, University of Cambridge" on the piece of paper and sign the paper by putting a great big seal on the paper to make the paper hard to forge. In theory, we have heard of and trust the University of Cambridge, and in turn the University of Cambridge trusts the Faculty of Philosophy, which in turn trusts John Smith. If we trust the University of Cambridge, then we trust John Smith. If we were using digital certificates instead of a certificate you might hang on a wall we might create a certificate called "cn=John Smith (PhD)" and get John Smith to sign it. This cert is largely meaningless, given that in order to trust John Smith we need to already trust John Smith using some out-of-band method. This is a self signed certificate. If we were using certificates with a full certificate authority, we would instead have a certificate called "cn=John Smith (PhD)" issued by and signed by "ou=Faculty of Philosophy" which is in turn issued by and signed by "o=University of Cambridge". The "o=University of Cambridge" certificate is called the ROOT CA certificate, because we have manually trusted that one using an out of band method (we might have got it built into our browser). The intermediate certificate is the "ou=Faculty of Philosophy" certificate, which is trusted by "o=University of Cambridge" and trusts "cn=John Smith (PhD). John Smith is the leaf certificate trusted by the others. All you need to do is trust the root CA certificate "o=University of Cambridge", and you automatically trust everyone they trust, including "cn=John Smith (PhD)". Instead of relying on a big elaborate piece of paper with a wax seal on it, you rely on a mathematical equation that verifies that the certificate is legitimate, but the idea is the same. Regards, Graham -- ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org