> From: owner-openssl-us...@openssl.org [mailto:owner-openssl- > us...@openssl.org] On Behalf Of Kaushal Shriyan > > I am new to SSL/TLS Certificates. Please help me understand what is the > difference between ROOT CA Certs and Intermediate Certs or Chain Certs. I > will appreciate if i can refer to some books or tutorials to know about > SSL/TLS > technology.
I don't know how you learn about SSL/TLS, other than (a) reading the internet, and working on it a lot, (b) taking some courses on general cryptography (there is a free online course at coursera.com, which is quite good.) and (c) the thing that I actually found the most useful, a general book on cryptography called Cryptography Engineering, by Bruce Schneier, Niels Ferguson, Tadayashi Kohno. The root cert is self signed (so it is signed by itself.) The intermediate cert is signed by the root cert. And your leaf cert is signed by the intermediate. A client who receives the cert chain (the root, intermediate, and leaf) can follow a process to (1) verify that the leaf cert is not corrupted, and that the intermediate cert has verified it. (b) verify that the intermediate cert is not corrupted, and that the root cert has verified it, and that the intermediate cert is in fact authorized by the root cert to perform the authorization of the leaf cert. and (c) verify that the root cert is among the list of certs that the client "trusts." How and why do you trust any root certs? Generally they're built-in to your OS or your browser, so you're just blindly trusting that those guys know what they're doing. :��I"Ϯ��r�m���� (����Z+�K�+����1���x��h����[�z�(����Z+���f�y�������f���h��)z{,���