PKI Tutorials - Herong's Tutorial Examples - v2.34, by Herong Yang
Viewing Server Certificate Chain in Google Chrome
This section provides a tutorial example on how to view server certificate chain when visiting a 'https' Website in Google Chrome. The top certificate in a certificate chain is the root CA certificate, which is trusted by browser settings.
When a browser validates a server certificate, it will try to build a certificate chain, also called certificate path, which is an ordered list of certificates that satisfy these conditions:
- The first certificate must a Root CA (Certificate Authority) certificate that is trusted by the browser.
- The subject of each certificate, except for the last, must be the issuer of the next certificate.
- The last certificate is the server certificate to be validated.
Here is what I did to see the certificate chain for Yahoo Website on Google Chrome.
1. Run Google Chrome and go to https://www.yahoo.com. Wait for the home page to be fully loaded.
2. Click the site information icon at the left side of the URL address area. I see the site information popup box.
3. Click "Connection is secure". The site security popup box shows up.
4. Click the "Certificate is valid" link on the popup box. I see the server certificate displayed in the Certificate Viewer window.
5. Since different Chrome releases may use different Certificate Viewers, you may have to navigate differently to find the certificate chain. For example:
- Click the "Details" tab on Chrome 124,
- See the certificate chain section above the "Details" section on Chrome 103.
- Click the "Certificate Chain" tab on Chrome 40.
6. Review the certificate chain for the Yahoo server certificate. It consists of 3 certificates:
DigiCert High Assurance EV Root CA - The root CA
|- DigiCert SHA2 High Assurance Server CA - The intermediate CA
|- *.fantasysports.yahoo.com - The Web server
7. Click on "DigiCert High Assurance EV Root CA" in the path to see more information about the root CA certificate.
8. Click on "DigiCert SHA2 High Assurance Server CA" in the path, to see more information about the intermediate CA certificate.
What do you think about this certificate chain? I think we should trust www.yahoo.com now, because:
- The root CA certificate "DigiCert" can be trusted because it was pre-installed in Chrome as a trusted certificate.
- The intermediate CA certificate "DigiCert SHA2 High Assurance Server CA" can be trusted because it was issued by a trusted root CA.
- The *.login.yahoo.com certificate "*.login.yahoo.com" can be trusted because it was issued by a trusted intermediate CA.
Table of Contents
Introduction of PKI (Public Key Infrastructure)
Introduction of HTTPS (Hypertext Transfer Protocol Secure)
►Using HTTPS with Google Chrome
Visiting "HTTPS" Website with Google Chrome
Viewing Server Certificate in Google Chrome
►Viewing Server Certificate Chain in Google Chrome
Exporting Server Certificate to File in Google Chrome
Viewing Trusted Root CA Certificates in Google Chrome
Listing of Trusted Root CA in Google Chrome
Exporting Root Certificate to File from Google Chrome
Deleting Root CA Certificates from Google Chrome
Google Chrome Shares Windows PKI with IE
Using HTTPS with Mozilla Firefox
Using HTTPS with Microsoft Edge
Using HTTPS with IE (Internet Explorer)
Android and Server Certificate
Windows Certificate Stores and Console
RDP (Remote Desktop Protocol) and Server Certificate
macOS Certificate Stores and Keychain Access
Linux Certificate Stores and Tools
Perl Scripts Communicating with HTTPS Servers
PHP Scripts Communicating with HTTPS Servers
Python Scripts Communicating with HTTPS Servers
Java Programs Communicating with HTTPS Servers
.NET Programs Communicating with HTTPS Servers
CAcert.org - Root CA Offering Free Certificates
PKI CA Administration - Issuing Certificates
Comodo Free Personal Certificate
Digital Signature - Microsoft Word
Digital Signature - OpenOffice.org 3