A certificate chain of trust, also known as the certification path is a structure with a root certificate at the top-most level. A root certificate is made trustworthy by securing its physical distribution.
The arrows on the right show how the chain of trust was established using the private keys to sign the certificates at the next level down in the chain. All certificates immediately below the root certificate inherit the trustworthiness of the root certificate. Certificates further down the chain depend on the trustworthiness of the intermediate certificate(s).
The server certificate’s private key is not part of establishing the chain of trust. It is used to encrypt and decrypt data after identity is established.
The arrows on the left side of the drawing show how identity is verified during the handshake. Working up the chain, the server sends the client its server and intermediate certificates. The client:
-
Verifies that the server certificate was signed by (matches) the intermediate certificate and that the Distinguished Names match.
-
Verifies that the intermediate certificate was signed by the root certificate, which it has in its Trust Store.
Assuming all signatures match, communication begins.
Certificates have an expiration date. Every couple of years they must be renewed.