HTTPS Chain of Trust Query

Question

• I have a Server Certificate lets say A.
• It is signed by Intermediate CA B.
• Intermediate CA B cert is signed by Root CA C.

My queries here is

1. Should both B and C certificate be present on end host ?
2. If only B is present, would the HTTPS transaction work ?
3. If only c is present, would the HTTPS transaction work ?
4. If yes for 2 and 3, whats the logic that it would use for verification ?

Thanks is advance.

Answer 1

1. If by “be present on end host”, you mean should the web server be configured with these certificates then the answer is No. it should only be configured with A and B. There is no point in returning C as that already needs to be client for the certificate to be trusted so it’s a waste if bytes to resend it. Though, other than that, it won’t prevent the HTTPS connection from being established. But still wrong so don’t do it.

2. I’m assuming you mean if only A and B are present? That is the correct way to configure it and HTTPS will then work. The client will see A chain’s to B and then can see B is issued by C (which it should already have installed) so can build a chain of trust back to a certificate it knows and trusts (C).

3. Again I’m assuming you mean A and C? This one should fail, however it often will not, because of one of two reasons: First browsers cache intermediary certificates, so if you visit another site that also uses a cert issued by B then it may work. But it’ll be intermittent. Secondly each certificate has information about the issuer in the AIA, or Authority Information Access field. This allows a browser to contact the certificate authority (CA) and ask for the missing certificate B so it can build a change of trust. However both these methods are unreliable and so should not be depended on. Not every browsers uses AIA (Firefox does not) and few non-browsers do connections from them will fail. Configure your web server to return A and B.

4. Included this information in answers to 2 and 3.