Cisco Headend Digital Broadband Delivery System
Chapter 7 DNCS Web Services Security
72
4034689 Rev A
Certificate Chain — The succession of certificates starting from the server or
client certificate to the root certificate makes up a certificate chain. The shortest
possible certificate chain is two: the server or client certificate and a root CA
certificate. This occurs when the server or client certificate is signed by the root
CA private key. To decrease the risk of compromising the root CA's private key,
some Certification Authorities only use an intermediate certification authority to
sign server or client certificates. It is also possible to use an intermediate CA to
sign another intermediate CA certificate, thus the certificate chain becomes
longer. The certificate chain is the entire certification path from the signed
certificate to the root CA certificate.
client certificate to the root certificate makes up a certificate chain. The shortest
possible certificate chain is two: the server or client certificate and a root CA
certificate. This occurs when the server or client certificate is signed by the root
CA private key. To decrease the risk of compromising the root CA's private key,
some Certification Authorities only use an intermediate certification authority to
sign server or client certificates. It is also possible to use an intermediate CA to
sign another intermediate CA certificate, thus the certificate chain becomes
longer. The certificate chain is the entire certification path from the signed
certificate to the root CA certificate.
CA Certificate Chain — A CA certificate chain is the succession of intermediate
CA certificates to the root certificate. If a server or client certificate is signed by
the root CA, then the CA certificate chain contains only the root certificate. If a
server or client certificate is signed by an intermediate CA, then the CA
certificate chain contains all intermediate CA certificates and the root certificate.
For example, if the client or server certificate was signed by intermediate CA 2
and the intermediate CA 2 certificate was signed by intermediate CA 1 which
was signed by the root CA, then intermediate CA 2, intermediate CA 1, and the
root certificate make up the CA certificate chain. The cachain.crt file on the
DNCS must contain the entire CA certificate chain for the DNCS server
certificate. The cacert.pem file on the DNCS must contain the entire CA
certificate chain for the DNCS client certificate.
CA certificates to the root certificate. If a server or client certificate is signed by
the root CA, then the CA certificate chain contains only the root certificate. If a
server or client certificate is signed by an intermediate CA, then the CA
certificate chain contains all intermediate CA certificates and the root certificate.
For example, if the client or server certificate was signed by intermediate CA 2
and the intermediate CA 2 certificate was signed by intermediate CA 1 which
was signed by the root CA, then intermediate CA 2, intermediate CA 1, and the
root certificate make up the CA certificate chain. The cachain.crt file on the
DNCS must contain the entire CA certificate chain for the DNCS server
certificate. The cacert.pem file on the DNCS must contain the entire CA
certificate chain for the DNCS client certificate.
Trusted Certificate Authorities — For an HTTP-S client to trust an HTTP-S
server's certificate, the HTTP-S client must trust the server's root CA certificate. If
client authentication is required on the HTTP-S server, the server must trust the
client's root CA certificate. Web browsers, a type of HTTP-S client, typically
include a set of trusted root CA certificates for companies such as VeriSign. The
cacert.pem file on the DNCS must contain all of the trusted root CA certificates.
server's certificate, the HTTP-S client must trust the server's root CA certificate. If
client authentication is required on the HTTP-S server, the server must trust the
client's root CA certificate. Web browsers, a type of HTTP-S client, typically
include a set of trusted root CA certificates for companies such as VeriSign. The
cacert.pem file on the DNCS must contain all of the trusted root CA certificates.