ServerIron ADX Security Guide 153
53-1002440-03
Configuring SSL on a ServerIron ADX 6
Chained Certificate Verification
When the server certificate is not signed directly by the root CA, but signed by an intermediate CA,
as shown in the following example, there are two possible scenarios.
CA ----> intermediate CA ----> server certificate
Client Already Has Intermediate CA's Certificate
In the first scenario, there are NO additional requirements. When the server sends a certificate that
is signed by the intermediate CA, the client browser will be able to process it successfully.
Client Does NOT Have Intermediate CA's Certificate
In the second scenario, the server sends a certificate that is signed by intermediate CA. However
since the end-client has no knowledge of the intermediate CA, it denies the certificate and the
process is unsuccessful.
To resolve this issue, the server must send not only its own certificate, but also the intermediate
CA's certificate that is signed the root CA. In other words, the server sends a chain of certificates.
NOTE
The server sends only its own certificate and the intermediate CA's certificate. It does NOT send the
root CA’s certificate.
Example
Your server certificate is signed by VeriSign International Server CA - Class 3. This is an
intermediate CA, whose certificate is signed by VeriSign Class 3 Public Primary CA.
Figure 12 shows the certificate hierarchy, with "L47.brocade.com" at the third level. The first level
certificate is also labeled as "built-in object token" by Firefox. This is an example of chaining. The
server sends a two-level chain containing its own certificate and the certificate of the intermediate
CA.
The certificate chain sent by the server must be correct: server-> intermediate CA. The
intermediate CA certificate must also be signed by a CA whose certificate is present with the client.
Figure 12 shows the certificate fields.