Certificate Chaining

A certificate chain is used to establish a chain of trust from a peer certificate to a trusted CA certificate. Each certificate is verified using another certificate, creating a chain of certificates that ends with the root certificate. The issuer of a certificate is called a certification authority (CA). The owner of the root certificate is the root certification authority. The last certificate in the chain is usually a self-signed certificate.

EFT supports full certificate chains, which is a single file with a combination of all certificates in the chain. Usually, you will receive this file from a signing authority. Otherwise, you can create the chain manually, as described below, or ask the Globalscape Technical Support team to create one for you.

To create the chain, the general steps include:

  1. You must have the following certificates:

  2. Download the OpenSSL command line utility, available free from http://www.openssl.org/related/binaries.html.

  3. Run the x509 command on a certificate file, outputting the text version of that file. (Refer to the example below.)

  4. Redirect the output into a combined file as a concatenated block of text.

For example, suppose you created a certificate in EFT called "mycert.crt" (and it has the associated private key "mycert.key"), then sent the CSR file ("mycert.csr") to Verisign, who sent you the following:

To combine these into a single file that EFT supports, use the following commands in OpenSSL:

c:\> openssl x509 -inform PEM -in "mycert_Signed.crt" -text > mycert_combined.crt

c:\> openssl x509 -inform PEM -in "Verisign_Intermediate.crt" -text >> mycert_combined.crt

c:\> openssl x509 -inform PEM -in "Verisign_Root.crt" -text >> mycert_combined.crt

You now have a certificate file that EFT can use to deploy the entire chain.

The way you access the intermediate and root certificates, as well as the format of those certificates, might differ between signing authorities.

Related Topics