Extinction of Unchained SSL Certificates

Unchained SSL Certificates are certificates that are signed directly by a trusted root certificate (which comes embedded in most web browsers). Normal SSL certificates use what is a called a chain certificate or an Intermediate certificate to link your certificate to a trusted root certificate. For example, the image below shows a certificate for www.paypal.com which is signed by the VeriSign 3 Extended Validation SSL SGC CA Intermediate certificate which, in turn, is signed by the VeriSign root certificate.

A Certificate's Certificate Path

Several months ago, VeriSign annouced that they will no longer offer Unchained certificates after December 11, 2008. Why would they do this? VeriSign specifically gave two reasons:

  • Offline CA storage provides greater protection of the root's key pair from attacks
  • Intermediate roots can be maintained for each unique product and updated without disruption to the customer

Chained Certificates are more secure

Using chain/Intermediate certificates is the better option because it provides greater security. This is because the private key of the signing certificate must be present on any server that creates certificates. If a root certificate's private key is on a accessible server, that server must be protected extremely well. If the private key is compromised, it becomes worthless as do all the certificates that were issued by it. Other the other hand, if an Intermediate certificate is compromised but the root certificate's key is safely stored away, a new Intermediate certificate can be generated and new certificates can be issued off of it. Chain certificates also provide the advantage of smaller CRL files that can make a site load faster.

All major web browsers and servers support chain certificates and installation simply requires putting the extra intermediate certificate on the server/device. There are a few devices that do not support chain certificates and there are some situations where unchained certificates are much easier to implement. However, all major CAs have stopped issuing unchained certs for all but exceptional circumstances.

Originally posted on Sun Nov 30, 2008