What happens while curl https domains?
-The simplest command to use for example is curl "https://www.vodafone.com/"
-curl is making a GET request and returns the page source without any error because the server uses Trusted CA Signed SSL Certificates.
This means that the server is using a certificate that was signed by a trusted authority.
What is certificate chain?
-when you curl a domain name there are sequences happen in order to
establish a secure connection between the remote server and client,
beyond DNS resolution, TCP handshake and SSL/TLS handshake, Server sends
its SSL/TLS certificate chain to the client [including all intermediate
certificates up to (but not including) the root certificate].
-certificate chain is an ordered list of certificates and each certificate
in the chain is signed by the entity identified by the next certificate
in the chain, that enables the receiver to verify that the sender and all
CAs are trustworthy.
Certificate chain typically includes:
1-Leaf Certificate:
Issued to the domain (e.g., www.vodafone.com). This certificate is
used to encrypt the communication between the client and the server.
And known as SSL/TLS Certificate
2-Intermediate Certificate(s):
-Any certificate that sits between the SSL/TLS Certificate and the
Root Certificate is called a chain or Intermediate Certificate.
-The Intermediate Certificate is the signer/issuer of the SSL/TLS
Certificate which is the leaf one or previous intermediate one.
-The Root CA Certificate is the signer/issuer of the Intermediate
or last intermediate Certificate.
-If the Intermediate Certificate is not installed on the server (where
the SSL/TLS certificate is installed) it may prevent some browsers,
mobile devices, applications, etc. from trusting the SSL/TLS
certificate.
-In order to make the SSL/TLS certificate compatible with all clients,
it is necessary that the Intermediate Certificate be installed.
3-Root CA Certificate: Trusted Root Certificate Authority List
-The root CA (Certificate Authority) certificate is the top-most
certificate in the certificate chain. It is self-signed and must be
verified up to The Root CA Certificate, meaning the issuer and
subjects are the same.
-It serves as the ultimate trust anchor for all certificates issued
under it.
-Root CA certificates are typically distributed with operating systems
and browsers so that they are trusted by default.
Use Case: checking "https://www.vodafone.com" https://www.ssllabs.com/ssltest/analyze.html?d=vodafone.com
and you can find the leaf certificate www.vodafone.com is issued by the chain one DigiCert SHA2 Secure Server CA, and the chain certificate is issued by trusted CA DigiCert Global Root CA.
You can connect to the server and retrieve the certificate chain using openssl s_client. This command will show you the certificates sent by the server
-showcerts: Displays all certificates sent by the server
[sh@ip-10-160-78-8 ~]$ openssl s_client -connect www.vodafone.com:443 -showcerts
What may cause a problem?
-If the server has 2 intermediate certificates, and sends only one intermediate certificate (the one directly issuing the leaf certificate) but omits the second intermediate certificate (the one issuing the first intermediate certificate), the client might not be able to validate the certificate chain properly
for more issues and troubleshooting
For more info: https://www.digicert.com/blog/what-is-a-certificate-authority
Top comments (0)