Digital Certificates – Certificate Chaining
Read time: 6 minutes
Root CA certificate
Intermediate CA or Issuing CA


End Entity Certificates

Certificate Chaining

The issuer of each certificate should match with the subject of the following certificate. So, the end entity’s certificate’s issuer should correspond with the subject of the Issuing CA’s certificate, and so on. This should continue until we get to the Root certificate, which would be self-signed. This Root certificate’s issuer and the subject would be the same. If we successfully verify all certificates from end-entity to Root, it confirms that the certificates are properly chained.
When a certificate is issued, the private key of that CA is used to sign the certificate, and its respective public key would be attached to the Issuing CA’s certificate. Thus, the issued certificate signature should be verified by the public key in the issuer’s certificate.
The root certificate is the trust anchor of the PKI. The root certificate should be stored in Microsoft Certificate manager, letting browsers trust certificates having the Root certificate as the last certificate in their certification path.
