SSL certificates: what they are and how the chain of trust works
X.509 certificates, Subject and Issuer fields, CA hierarchy, root CA, intermediate CA, leaf certificate, certificate chain validation, SAN fields
Certificates and the Chain of Trust
A TLS certificate is a signed document that binds a domain name to a public key. The signature is what makes it trustworthy — anyone can create a certificate, but only a trusted Certificate Authority (CA) can sign one that browsers accept.
The certificate chain
Root CA: Self-signed certificates preinstalled in your OS and browser. There are around 130 trusted root CAs globally. Mozilla, Google, and Apple control which CAs are included.
Intermediate CA: Root CAs do not sign site certificates directly (to limit exposure if a key leaks). They sign intermediate CAs, which do the actual signing.
Leaf certificate: The certificate your server presents. It contains the domain name (in the Subject Alternative Name / SAN field), your public key, validity period, and the issuer's signature.
# Inspect a site's certificate chain
openssl s_client -connect example.com:443 -showcerts 2>/dev/null \
| openssl x509 -noout -text | grep -A2 "Subject:"
# Check expiry date
echo | openssl s_client -connect example.com:443 2>/dev/null \
| openssl x509 -noout -datesValidation
The browser walks the chain: verifies each certificate's signature using the issuer's public key, until it reaches a trusted root. It also checks: the domain in the SAN matches the hostname, the current date is within the validity period, and the certificate is not revoked (via OCSP or CRL). Any failure → red padlock.