Part 1 of 6
A simple guide to TLS certificates, certificate chains, root CAs, and intermediates for Linux users, website owners, and beginners.
Introduction
If you run a blog, website, reverse proxy, API, mail server, or admin panel, you are already depending on TLS certificates. Many people use them every day without fully understanding how they work. That is normal. But with browser trust changes and shorter certificate lifetimes becoming more important, this is a good time to learn the basics.
When a visitor opens your site over HTTPS, their browser checks a few things. It checks whether the certificate matches the domain name, whether the certificate is still valid by date, and whether it chains back to a trusted root CA.
What is a certificate chain?
A simple way to think about it is this:
- The leaf certificate is the certificate installed on your website or server.
- The intermediate certificate is the certificate that issued your server certificate.
- The root certificate is the trust anchor already stored in the browser or operating system.
The root certificate is usually not something you install on your web server. The browser or operating system already has it in its trust store. What your server usually needs is the correct server certificate and the correct intermediate certificate.
Why certificate problems happen
Certificate errors are not always caused by expiry. A site can break because the intermediate certificate is missing, the chain is incomplete, the browser no longer trusts the root behind the chain, or the wrong certificate files were installed on the server.
For Linux users, the important lesson is simple: a TLS certificate is not just one file. It is part of a trust chain, and that full chain matters.
Closing thoughts
If you have ever wondered why one browser says a site is secure while another complains, the answer is often somewhere in the certificate chain.
Read next: Why Mozilla and Chrome Are Distrusting Some Older DigiCert Certificate Chains
No comments:
Post a Comment