česky | english
Certificate chain and its construction
A program, which needs to check the trustfulness of a client or server certificate, has to create the certificate chain ending with a root certificate and/or any certificate with explicitly expressed trustfulness for the related program or system.
If the assembling algorithm successfully reach a CA root certificate, there is also possible that the root certificate is not trusted, because it's neither one of the "well-known trusted root" certificates issued by CA as Thawte or VeriSign, nor it is explicitly trusted.
Here is the algorithm (source: Felix Dörre):
- If cert is "trusted" explicitly (i. e. it was marked as such by the user, or it belongs to "well-known trusted root" certificates, exit the check completely with "trusted" - the certificate chain is successfully created.
- For all certs "parent" that match the issuer of "cert" in their "subject":
- validate its signature, validity by expiration date, revocation by the CRL, chaining,
- recurse on (1) with parent.
- Return "untrusted" - the certificate chain (to one trusted) could not be created.
Thus, for CAcert certificates, the certificate chain consists usually of 3 or 2 certificates, depending whether your client/server certificate is signed/issued with an intermediate class3 root certificate, or with the root class1 certificate, respectively.