SSL Certificate Check

Internet – Blog No 3
Time to Read
30 Minutes
Who should read this blog?
SSL Certificate check
SSL Certificate Check


While choosing the topic of SSL certificates and to explian chain of trust, the word that came to my mind was Bicholiya.

I am sure you all might have watched a top-rated Netflix show – Indian Matchmaking if you haven’t, I would highly recommend you watch it, at least to understand the chain of trust. So, in this show, our main character Seema Taparia is a Bicholiya.

Bicholiya is a traditional practice followed in India. It involves a unique method of matchmaking where people, known as Bicholia, are responsible for finding suitable matches for unmarried individuals in the community. The Bicholiyas employ various methods to gather information about prospective matches, including visiting neighboring villages, attending social gatherings, and relying on their network of contacts. They collect details about the individual’s family background, personal characteristics, and reputation within the community. It is seen as a reliable and trusted method of matchmaking within specific communities. In a nutshell, Bicholiyas provides a common trust authority on which the bride and groom take such an important decision of marriage. Metaphorically if we encounter bicholiyas in every sphere of life, Last time, did you think twice before entering your user credentials on your bank website, why? because you trusted the website because of a Lock sign visible preceding https, followed by website URL in the browser’s address field. Today we will talk about SSL certificates and how Bicholiyas plays a role here too.

Chain of Trust

We will understand how the chain of trust works with the example again of our bicholiya, bride, and groom. Let’s name our bride Simran and groom Raj and Our Bicholiya is world famous Seema Taparia.

Scenario 1

First, let’s understand how trust works between two people. In our example, we will consider that Simran and Raj are from the same village/town or they had a long association before deciding to marry. In this case, both of them know each other very well so there is no third person required to confirm the trust.

This scenario can be compared to the scenario where you are accessing your intranet website data, and you trust this website as it is hosted in your network. you may access your website simply on HTTP or even if you want secured communication with HTTPS, you may use self-signed certificates. No role for Seema Taparia here.

Scenario 2

However, let’s consider a case where Raj and Simran are not from the same place, and no possibility of them knowing each other at all. This is mostly the case in Indian arranged marriages.

Let’s see how things unfold –

Simran receives an email from Raj, whom she has never met before, but who is the referral of our Bicholiya Seema Taparia, Simran herself has met Seema and put forward all her details and requirements well in advance so does Raj, so when Simran receives a message from Raj, she understands the basic compatibility requirements have already taken care of by Seema and vice versa for Raj too.

On this trust, Simran and Raj start meeting and sharing some private data with each other.

This is essentially the Chain of Trust.

Now Humans are not websites, even after basic trust is established there are many factors that are at play for both of them to decide if they are going to marry each other or not. For all that drama, you may watch the show.

Concepts become oversimplified when we understand them from real-world examples.

Since the basic concept is understood let’s understand how machines achieve this chain of trust.

When the client and server are on the same network

In scenario 1, I explained the scenario of Raj and Simran knowing each other as both are from the same village. Since they develop an interest in each other and want to develop this relationship more intimate. Of course, they want their communication to be a private affair(HTTPS) and they don’t want the entire village to know about the status of their relationship. So, they share their own code word with each other for example- Simran may share “The cow is hungry” which means it is a safe time to meet and share a good time at her place. She conveys this message to Raj through the public, but for the public, this simply means her cow is indeed hungry. lol. Same way Raj may share his own code word like “Time to Harvest” which means his place is available to have a good time.

Public KeyPrivate Key
Raj“Time to Harvest” Raj’s place is available
Simran“The cow is hungry”Simran’s Place is available

In the same way, the Client and Web server will generate their own pair of private/public keys. they share their public key with each other over the internet while keeping the private key safe with them.


private key can never be compromised or shared.

Client and Servers encrypt any communication with their respective public keys and decrypt the communication using their own private keys. This is just like a lock that has 2 different keys. Once it is locked with one key, it can only be unlocked with another key. This process is called Asymmetric key exchange which is covered in my previous blog.

This is how the process goes –

  • Both client and server generate their own public and private keys.
  • Both hide their private keys
  • The server shares its public key with the client and the client shares its public key with the server.
  • The server generates a new message and signs it with its private key.
  • The client uses the public key shared by the server earlier to verify the message signature and read the message.

Let’s complicate this process now.

When the client and server are on the Internet

In Scenario 2, we discussed Raj and Simran are not from the same place and no possibility of them knowing each other at all, but both of them know Seema Taparia and have exchanged their details with her. Now the chain of trust plays an important role here. We are going to explain the different players in this chain of trust, let’s start.

Trusted Root CA

Simran receives an email from Raj, whom she has never met before, but who is the referral of our Bicholiya Seema Taparia. In this email, he has attached his details along with the recommendation certificate from Seema Taparia. The recommendation certificate has an authorized signature and a seal of trust in the name of Seema Taparia.

Simran is able to verify that Raj’s profile is indeed signed by Seema and because she trusts Seema’s credentials to verify Raj, she trusts Raj and shares her public key with him. Kindly note in this exchange no party exchange their private key with each other.

Our story is in the building phase and In our story we have brought a new character Seema. Let’s introduce that character in our web communication world. We can call him Certificate Authority(CA).

Seema has established herself as a world-renowned Bicholiya already and everyone trusts her credentials, Similarly, there might be many renowned Bicholiya like her who are well known, of course, she became famous worldwide due to the Netflix show.

In the same way, our CA’s are well-known trust authorities recognized by internet bodies.

Some famous names of CA’s are – Verisign, Let’s Encrypt, DigiCert, Comodo, GlobalSign, GoDaddy, Symantec, Sectigo (formerly Comodo CA), Entrust, and Amazon Trust Services, and many more.

Since they are well-known CA’s their public certificates should be known to all the machines and that is the reason their public key certificates are shipped on all the machine’s certificate stores and hence trusted by all the browsers.

You can open the Certificate Manager in Windows by pressing the Windows key + R to bring up the Run command, type certmgr.msc and press Enter. 

Note the CA certificate available on my Laptop cert-manager.

Since they are well-known CA’s we call them Root CA or Trusted Root Certificate Authority.

In the above snapshot, you can notice terms like Issued to and Issued by and as you will notice they are the same name because they are root CA. Seema Taparia advertises herself as the well-known Bicholiya, she has earned it over the years, similarly, our root CA advertises itself as Trusted Root CA’s. We will more discussion about Issued to and issued by in our next paragraph.

Intermediate CA

Seema Taparia might be world famous but she can not single-handedly handle so many clients worldwide. She needs delegation of work where she remains the root authority but she delegates her work to the intermediate Bicholiyas who approaches her clients in her name, so an intermediate Bicholiya may take a license from her to serve a specific region, that way she expands her chain of trust.

In the same way, we have intermediate CA’s who are issued a license to operate in the name of Root CA

Refer to the Intermediate Certificate in the certificate manager on my laptop.

As you can notice we have Issued To and Issued By columns where Issued To is the Intermediate CA and Issued By is the Trusted Root CA.

So Raj and Simran might not have approached Seema Taparia directly instead two different intermediate Bicholiya deputed to their region.

In this case, when Raj sends an email to Simran which sends his details he will also send the recommendation certificate from Intermediate Bicholiya. The recommendation certificate has an authorized signature and a seal of trust in the name of Seema Taparia. Hence Simran now trusts Raj, Intermediate Bicholiya, and of course, she trusts Seema Taparia.


in most cases you will see both the root and intermediate certificate for a website but there would be cases where you would see only the Root certificate as CA, As the certificate was signed by Root CA and no intermediate CA was involved in the process.

Leaf Certificate

To get registered with either intermediate bicholiya or directly with Seema Taparia, Raj and Simran have to give all their personal details along with their proof document to prove their identity, their education, and their financial background. So they have to fill out a registration form with their details and attach their proof documents along with the form. Once all the details are correctly verified, the Intermediate bicholiya or Root Seema herself signs their registration letter with their personal signature and stamps the registration form with their private seal.

Raj and Simran then can use their signed registration forms to get authenticated as valid brides and grooms.

Similarly, the website owner/admin who wants to SSL secure their websites and make their websites trusted over the internet has to get their certificate signed with either the intermediate CA or Root CA. This process is called a Certificate Signing Request (CSR) which we will cover in the next topic.

So as observed in the whole process, after we get the signed certificate, we would have 3 certificates with us the certificate of the bride/groom(website leaf certificate), the Intermediate bicholiya certificate ( Intermediate CA certificate), and the Seema Taparia’s certificate ( Trusted root Certificate).


If you want to use your website within your internal network boundaries(intranet), you don’t need to approach the public CA’s, rather you may install your internal public key infrastructure (PKI) solution provided by Microsoft Active Directory Certificate Services (AD CS). An open source alternative to Microsoft AD CS is OPENSSL toolkit. In this case the AD CS Server itself acts as a Internal certificate autority(CA) and signs the certificates for internal website domains.

Just like the Intermediate and Root CA, The leaf certificates are stored in Cert Manager but in the different Personal Certificate folder of the Cert Manager as shown in the below snapshot.

In most cases, the website’s leaf certificates are not present in the Personal Certificate folder on the client side as the website leaf certificate is dynamically presented by the website on the internet to the client when the client browser requests the webpage. On the client side, you will only notice the Intermediate CA and Trusted Root CA public certificates.

The reason is very simple there are millions of websites out there if clients have to install the leaf certificate of all the websites it would be a nightmare not only for the storage perspective but scalability perspective as every day there are thousands of new websites getting added on the internet.

However, the server hosting the website would contain a complete chain of the certificates including Leaf, Intermediate, and Trusted root within their respective folders as I have already shared the snapshot.

Certificate Signing Request

As explained above Raj and Simran have their personal details, private key, and public key with them but they have to fill in the details (except the private key remember) in some kind of registration form to get it validated and signed by the intermediate bicholiya or Seema.

Similarly, the website Owner/Administrator has website details that he is going to publish over the internet so he has to create a certificate Signing Request to get the certificate signed by CA by their private keys.

To get a signed certificate, A Website Admin must create a CSR on his server. This process creates a private key and a public key on his server.


The CSR data file that you send to the CA contains the public key. The CA uses the CSR data to create a data structure to match your private key without compromising the key itself. The CA never sees the private key.

There are multiple ways to create a CSR, like using the open-source OpenSSL utility, or Windows ADCS Server, or through the Certificate Authority providers directly.

To create CSR through the Certificate Authority , we can go to their websites and follow the process

Refer this link for creating CSR through Digicert CA.

Let’s see how to do it through the OpenSSL utility manually –

  • Install OpenSSL: If you don’t have OpenSSL installed on your system, you can download and install it from the official OpenSSL website (
  • Generate a Private Key: Before creating a CSR, you need to generate a private key. Run the following command to generate a new private key and follow the steps
openssl genpkey -algorithm RSA -out private.key -aes256
Enter PEM pass phrase:sslcertp@ss123
Verifying - Enter PEM pass phrase:sslcertp@ss123
Note - This pass phrase will encrypt your generated private key for extra layer of security. so always remember your paas phrase , better store it on some keyvault, if someone learns the pass phrase and get hold of your private key they may know the private key of the certificate and decrypt the communication.

The Private key is Generated with name private.key and can be opned in Notepad, this is how it looks-


  • Create a CSR: Once you have the private key, you can use it to create a CSR. This is just like Raj/Simran giving their personal details, Run the following command:
Generate the CSR with the generate private key in above command
openssl req -new -key private.key -out csr.csr

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:Telangana
Locality Name (eg, city) []:Hyderabad
Organization Name (eg, company) [Internet Widgits Pty Ltd]
Organizational Unit Name (eg, section) []:IT department
Common Name (e.g. server FQDN or YOUR name) []:*
Email Address []

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:abcd1234
An optional company name []:thecloudblogger

Note - The challenge password is intended to serve as a shared secret between the entity requesting the certificate (the applicant) and the Certificate Authority (CA) that will sign the certificate. When the CA receives the CSR, it may verify the applicant's identity by requesting the challenge password.This is optional step.
CSR File is generated and lets open in notepad :

  • If you have noticed in the Common Name Field – I have mentioned *, the reason is tomorrow if my website expands and may have many sub-websites like or so I don’t have to create a separate certificate for each website, * will cover for all the websites.
  • This could also be achieved using SAN (Subject Alternative Filed), so if in your common name, you just enter Under SAN Field you may enter other valid website names with you want to use this certificate.
    • Create a configuration file (e.g., san.cnf) with the following content:
    • In this example,,, and are specified as SAN entries. You can add or remove entries based on your requirements. In this case, my certificate can be used for,, and hostnames too.
req_extensions = v3_req
distinguished_name = req_distinguished_name

subjectAltName = @alt_names

DNS.1 =
DNS.2 =
IP.1 =

Generate the CSR using the configuration file:
openssl req -new -key private.key -out csr.csr -config san.cnf
  • Submit the CSR to a trusted Certificate Authority (CA) for signing and issuance of the SSL certificate.
  • CA will validate the details provided in CSR and will issue a certificate that can be downloaded in CRT/CER/PEM/PKCS7 formats. Refer to the Digicert page for more details on how they validate the certificate.

Contents of downloaded certificate

I have downloaded my signed thecloudblogger website certificate in CRT format and this is how it looks

Certification path tab

Let’s peek inside the certificate, Lets zoom into Certification Path tab and it shows complete chain of the certificate, if you see any component missing try to download again and make sure you have complete chain made of Leaf, Intermediate CA and Root CA.

General tab

General and Details tab shows the details of the selected certificate in the certification path tab, by default these tabs show the details of the Leaf certificate.

General shows the certificate was issue to Common Name (Subject), shows the validity of the certificate and who issued the certificate, in my case intermediate CA R3.

I have downloaded this certificate from the CA website but if i want to install this certificate on my local laptop, i can click on the button Install Certificate and this will install all 3 certificates viz Leaf Certificate in Personal certificate folder, Intermediate CA certificate in my Intermediate certificate authority’s folder and Root Certificate in my Trusted root certificates folder of my Cert Manager.

Details tab

Details tab shows the actual content of the selected certificate. As we can see the issuer details (Issued By) ,Validity of the certificate, subject name (Issued to), Public key , Subject Alternative Name (SAN) and Thumbprint. Thumbprint as the name suggest is unique to each certificate and can be used to identify a certificate just like fingerprints are used to identify a person. Thumbprint of Leaf , Intermedite CA and Root CA certificate would be unique. Kindly note the certificate does not contain the private key.

Similarly, To check the details of the Intermediate CA certificate R3, go to the Certification path tab and click on view certificate.

If you notice, for Intermediate CA Issuer(Issued by ), Subject(Issued to) fields are changed.

To see the details of the Root certificate, go to the Certification path, select Root certificate and click on view certificate button.

If you notice, for Root CA Issuer(Issued by ), Subject(Issued to) fields are changed and they have same value as ISG Root X1. This shows that Root CA is the epic body and there is no one above them. This is how you can identify if a given certificate is a Root certificate or not.

Install the certificate on the Web Server

We have downloaded the complete chain of the certificate for our website Now this certificate has to be installed on web server hosting our website.

As i have already mentioned that this certificate (CRT format) does not contain the private key, which i used to create the leaf certificate CSR. As you remember i advised to save the private key at a safe place earlier, now we will use that private key to convert the certificate format to PFX(PKCS #12) format.

We can do that by Openssl tool by using this command –

openssl pkcs12 –export –out thecloudblogger.pfx –inkey private.key –in thecloudblogger.crt

Our PFX certificate is ready and contains the complete chain of the certificate along with private key.

Once the PFX certificate is installed on the web server , the server is ready to secure the website using SSL.

On the client side, who will access this website, will have preinstalled Intermediate and Root CA certificates with public keys to identify the Leaf certificate signed by CA’s private keys presented by the Server. In my Blog How HTTPS works i have explained how the entire HTTPS communication process works.


SSL Certificate signing process is a complex process and hence my efforts have been to make it easier to understand. I started with chain of trust which is how the entire certificate process works and then covered the details of each member of the chain which is Leaf, Intermediate and Root certificates.

Related Posts

How HTTPS works

Category Internet – Blog No 2 Time to Read 30 Minutes Who should read this blog? To learn about HTTPS , SSL/TLS. How HTTPS works Preface God!…

Website slow to load

Category Network Troubleshooting – Blog No 1 Time to Read 5 Minutes Who should read this blog? To learn about the commands which make troubleshooting easier. Website…

Forwarders, Conditional Forwarders, and Root Hints

Category DNS – Blog Time to Read 20 Minutes Who should read this blog.? If you want to learn about Forwarders, Conditional Forwarders, and Root Hints and…

How to add DNS Reverse Lookup Zone in Windows Server

Category DNS – Blog Time to Read 15 Minutes Who should read this blog.? If you want to learn how to add Reverse Lookup Zone in Windows…

How to add DNS Forward Lookup Zone in Windows Server

Category DNS – Blog Time to Read 15 Minutes Who should read this blog.? If you want to learn how to add Forward Lookup Zone in Windows…

Install and Configure DNS Server on Windows Server

Category DNS – Blog Time to Read 15 Minutes Who should read this blog.? If you want to install and configure DNS Server on Windows Server Preface…

Leave a Reply

Your email address will not be published. Required fields are marked *

Verified by MonsterInsights