Extinction of Unchained SSL Certificates
Unchained SSL Certificates are certificates that are signed directly by a trusted root certificate (which comes embedded in most web browsers). Normal SSL certificates use what is a called a chain certificate or an Intermediate certificate to link your certificate to a trusted root certificate. For example, the image below shows a certificate for www.paypal.com which is signed by the VeriSign 3 Extended Validation SSL SGC CA Intermediate certificate which, in turn, is signed by the VeriSign root certificate.
- Offline CA storage provides greater protection of the root's key pair from attacks
- Intermediate roots can be maintained for each unique product and updated without disruption to the customer
Chained Certificates are more secure
Using chain/Intermediate certificates is the better option because it provides greater security. This is because the private key of the signing certificate must be present on any server that creates certificates. If a root certificate's private key is on an accessible server, that server must be protected extremely well. If the private key is compromised, it becomes worthless as do all the certificates that were issued by it. On the other hand, if an Intermediate certificate is compromised but the root certificate's key is safely stored away, a new Intermediate certificate can be generated and new certificates can be issued off of it. Chain certificates also provide the advantage of smaller CRL files that can make a site load faster.
All major web browsers and servers use chain certificates and installation simply requires putting the extra intermediate certificate on the server/device. There are a few devices that do not support chain certificates and there are some situations where unchained certificates are much easier to implement. However, all major CAs have stopped issuing unchained certs for all but exceptional circumstances.
Originally posted on Sun Nov 30, 2008