View Categories

Explaining SSL Certificates

2 min read

About the TLS terminology used in the cert-manager documentation such as publicly trustedself-signedrootintermediate and leaf certificate.

publicly trusted

What does “publicly trusted” mean?

Broadly speaking, a “publicly trusted” certificate is one that you can use on the Internet and expect that most reasonably up-to-date computers will be able to verify it using their system trust store.

There isn’t a single standard trust store containing certs which are “publicly trusted”, but generally most of the commonly seen trust stores are similar

Some common SSL trust stores include: “cacerts” (Java’s default trust store), Windows Certificate Store, macOS Keychain, and OpenSSL’s system-wide trust store; these are essentially repositories where trusted root certificates from various Certification Authorities (CAs) are stored, allowing applications to verify the authenticity of SSL certificates presented by servers.

self-signed

What does “self-signed” mean?

Self-signed means exactly what it says; a certificate is self-signed if it is signed by its own private key.

Self-signed is a commonly confused term, however, and is very frequently misused to mean “not publicly trusted”. We tend to use terms like “private PKI” to denote the situation where an organization might have their own internal CA certificates which wouldn’t be trusted outside of the organization.

Your certificate is self-signed only if it’s signed with its own key.

root

What does “root” mean?

Roots are self-signed certificates and almost always marked as CA certificates. They’re usually not sent over the wire during a TLS handshake because they need to be explicitly trusted in order to be validated.

Roots are sometimes defined as “CA certificates which are explicitly trusted”—which can include certificates which aren’t self-signed.

Changing trust stores to include new roots or remove old ones is a non-trivial task which can take months or years for publicly trusted roots. For this reason roots are usually issued with very long lifetimes, often on the order of decades.

Example of some ROOT CA’s

  • SSL.com (where Entrust customers migrated to)
  • digicert (where Symantec customers migrated to)
  • GlobalSign
  • GeoTrust (subsidiary of DigiCert)

intermediate

What does “intermediate” mean?

Intermediates are CA certificates signed by another CA. Most intermediates will be signed by a root certificate, but it’s possible to construct longer chains where an intermediate can be signed by another intermediate.

Intermediate certificates are usually issued with a much shorter lifetime than the CA which signed them. On the Internet, intermediate certificates are used on network-connected machines for day-to-day issuance so that the highly-valuable root certificates can remain entirely offline.

While intermediate certificates can also be explicitly trusted via addition to a trust store, they’re usually validated by “walking up” the chain and validating signatures until an explicitly trusted self-signed root certificate is found.

leaf certificate

What does “leaf” mean?

A “leaf certificate” is what is more commonly known as end-entity certificate or an individual server certificate. Certificates come in chains, starting with the root CA, each certificate being the CA which issued (signed) the next one. The last certificate is the non-CA certificate which contains the public key you actually want to use.

Leaf certificates are usually used to represent a particular identity, rather than being used to sign other certificates. On the Internet leaf certificates usually identify a particular domain, such as example.com . Leaf certificates are sent first in a chain of certificates and represent the end of that chain.

If the PKI is represented as a tree, with the root CA as the root, then end-entity certificates are the leaves.

Protected By
Shield Security