Extinction of Unchained SSL Certificates

Unchained SSL Certificates are certificates that are signed directly by a trusted root certificate (which comes embedded in most web browsers). Normal SSL certificates use what is a called a chain certificate or an Intermediate certificate to link your certificate to a trusted root certificate. For example, the image below shows a certificate for www.paypal.com which is signed by the VeriSign 3 Extended Validation SSL SGC CA Intermediate certificate which, in turn, is signed by the VeriSign root certificate.

Several months ago, VeriSign annouced that they will no longer offer Unchained certificates after December 11, 2008. Why would they do this? VeriSign specifically gave two reasons:

• Offline CA storage provides greater protection of the root's key pair from attacks
• Intermediate roots can be maintained for each unique product and updated without disruption to the customer

Chained Certificates are more secure

Using chain/Intermediate certificates is the better option because it provides greater security. This is because the private key of the signing certificate must be present on any server that creates certificates. If a root certificate's private key is on an accessible server, that server must be protected extremely well. If the private key is compromised, it becomes worthless as do all the certificates that were issued by it. On the other hand, if an Intermediate certificate is compromised but the root certificate's key is safely stored away, a new Intermediate certificate can be generated and new certificates can be issued off of it. Chain certificates also provide the advantage of smaller CRL files that can make a site load faster.

All major web browsers and servers use chain certificates and installation simply requires putting the extra intermediate certificate on the server/device. There are a few devices that do not support chain certificates and there are some situations where unchained certificates are much easier to implement. However, all major CAs have stopped issuing unchained certs for all but exceptional circumstances.

Originally posted on Sun Nov 30, 2008

Comments

Duane(2014-12-13)

Oh and the poorly programmed Cisco software, don't even get me started on how poorly implemented some of their stuff is at times, they should be taken out and shot at times it's that bad.

Duane(2014-12-13)

They are correct in saying that offline storage is more secure, it's harder to attack something you have to physically access after all. If I were a betting man my money would be on Verisign is doing this for the simple fact that it would/could be making their audit/insurance cheaper, since a breach would cost a lot of money and face, minimising the problems after a breach for both themselves and browsers has it's advantages.