The client must have CA Root. Once the CA Root is verified, the client cana trust the certificates signed by the root and its other intermediate certificates.

Verification starts from the certificate of the domain. If it’s valid, the client verifies its issuer, and continues this process until reaching a certificate where the issuer is itself, indicating it is a Root.

For lyokolux.space, it goes as follow:

$openssl s_client -showcerts -connect lyokolux.space:443 -servername lyokolux.space 2> /dev/null | grep -A1 s:

 0 s:CN = lyokolux.space
     i:C = US, O = Let's Encrypt, CN = E8
--
 1 s:C = US, O = Let's Encrypt, CN = E8
     i:C = US, O = Internet Security Research Group, CN = ISRG Root X1

lyokolux.space is certified by Let's Encrypt. Let's Ecrypt is certified by the root certificate ISRG Root X1. The browser also tells ISRG Root X1 is a Certificate Authority.

Following the incident of DST Root CA X3 with a notable certificate expiration, the browsers started to trust Let's Encrypt directly. It seems openssl does it too because we don't see the certificate of ISRG Root X1 in the openssl output. The let's encrypt certificate is trusted because of ISRF Root XA.

1. A certificate can have only one issuer because the issuer is a fixed field in the certificate, not a list.
2. The essence of signing is just appending a hash value encrypted with a private key.
3. Intermediate certificates are not directly trusted by clients; clients only trust Root CAs.

To increase security, a certificate can be cross-signed and verified by one or the other sources. It's up to the client or the software to trust root certificates. When the client further narrows down the trusted list to only its certificates (or its CA), this is Client Certificate Pinning. For example, the TikTok app uses this.

Next: https://shaarli.lyokolux.space/shaare/13012
Previous: https://shaarli.lyokolux.space/shaare/1ar20g