Certificate Chain of Trust

flowchart TB subgraph root ["Root CA — trust anchor"] Root["Root CA: Example Trust Root
Self-signed
Lives in browser trust store
Offline HSM"]:::rootNode end subgraph mid ["Intermediate CAs"] IntA["Intermediate CA A"]:::caNode IntB["Intermediate CA B"]:::caNode end subgraph leaf ["End-entity certificates"] WWW["www.example.com"]:::leafNode API["api.example.com"]:::leafNode MAIL["mail.example.com"]:::leafNode end Root -- signs --> IntA Root -- signs --> IntB IntA -- signs --> WWW IntA -- signs --> API IntB -- signs --> MAIL classDef rootNode fill:#1565c0,stroke:#d4af37,stroke-width:4px,color:#ffffff,font-size:14px classDef caNode fill:#455a64,stroke:#263238,stroke-width:2px,color:#ffffff,font-size:15px classDef leafNode fill:#ffffff,stroke:#d84315,stroke-width:2px,color:#212529,font-size:14px linkStyle default stroke:#90a4ae,stroke-width:2px,font-size:13px
Legend
Gold border = trust anchor
Blue = CA certificate
Slate = intermediate CA
White / orange = end entity
Verification path (reverse direction)
  1. Browser receives www.example.com certificate
  2. ↑ verifies its signature using Intermediate CA A public key
  3. ↑ verifies that signature using Root CA public key
  4. ↑ Root CA in the trust store? → trust established

Node Details

Hover or tap a certificate to see its role.