A Chain Certificate for EV Multi-Domain Certificates is a type of electronic document that contains the public key and digital signature of a root certificate authority (CA). Upon successful purchase, organizations install their Chain Certificate into their web browser. Doing so creates a chain of trust between end users and their EV Multi-Domain certificates, a type of extended validation (EV) certificate which can apply to at least 100 fully qualified domain names (FQDNs) and up to 250 FDQNs including sub-domains.
Companies obtain root certificates from only trusted CAs, or entities which are authorized to verify someone's identity. Most web browsers and operating systems ship out to consumers with a trust store containing a list of trusted CAs. A device such as a web browser, in turn, uses that list to validate an SSL certificate's issuer.
In the event the device does not find a match, it navigates up what is known as the certificate chain by checking any and all intermediate certificates. These digital certificates sit between the end-user (SSL) certificate and root certificate. As such, an intermediate certificate signs/issues the SSL Certificate.
The device determines whether the intermediate certificate of the issuing CA was signed by a trusted CA. In the event it wasn't, the device continues this process across subsequent intermediate certificates until it discovers a trusted CA match or until it reaches the root certificate. If it ultimately finds no match with a trusted CA along that entire "chain of trust," the device displays an error message.
To adequately protect users, companies should verify that their Chain Certificate for EV Multi-Domain Certificates is up-to-date. They should also validate that the correct CA certificate chain is installed on each Transport Layer Security (TLS) server lest their clients experience an error when trying to reach a given resource. Lastly, they should ensure that all CA certificates expire after the server's TLS certificate.
Organizations can simplify management of chain certificates and prevent business interruptions by using an automated solution such as the Venafi Platform. This utility validates that certificate and chain on every server is correctly installed on a nightly basis. It also supports the automated installation of CA certificate chains with certificates along with the ability to provision and manage such chains. All the while, the Venafi Platform has the ability to manage and enforce trust stores across all systems.