A certificate chain (see the equivalent concept of "certification path" defined by RFC 5280 section 3.2) is a list of certificates (usually starting with an end-entity certificate) followed by one or more CA certificates (usually the last one being a self-signed certificate), with the following properties:
- The Issuer of each certificate (except the last one) matches the Subject of the next certificate in the list
- Each certificate (except the last one) is signed by the secret key corresponding to the next certificate in the chain (i.e. the signature of one certificate can be verified using the public key contained in the following certificate)
- The last certificate in the list is a trust anchor: a certificate that you trust because it was delivered to you by some trustworthy procedure
Certificate chains are used in order to check that the public key contained in a target certificate (the first certificate in the chain) and other data contained in it effectively belongs to its subject.
In order to ascertain this, the signature on the target certificate is verified by using the public key contained in the following certificate, whose signature is verified using the next certificate, and so on until the last certificate in the chain is reached.
As the last certificate is a trust anchor, successfully reaching it will prove that the target certificate can be trusted.
Certificates are created in a hierarchy where each individual certificate is linked to the certification authority (CA) that issued the certificate.
This link is to the CA’s certificate.
The CA’s certificate then links to the CA that issued the original CA’s certificate.
This process is repeated up until the Root CA’s certificate is reached.
The Root CA’s certificate is inherently trusted.
Digital certificates are used to authenticate an entity by relying on this hierarchy, also called a chain of trust.