Certificates – Is it OK to set SSL fullchain on service

In order to understand the answer to the problem, we need to understand how certificates work. When a program meets a certificate and wants to verify its authenticity, it examines the certificate itself, as well as the issuer of that certificate (ie the one who issued it). Signed).

This process is repeated until:

  • An anchor of trust is found (success)
  • A validation error occurs (failure)
  • A certificate is missing (failure)
  • The summit is reached, no trust anchor is found (failure)

This means that if I have a "Leaf" certificate, signed by "Branch" signed by "Root", then I have to check three certificates. For this process to succeed, a trust anchor must be found. 99% of the time, it will be "Root". Since I must already know "Root", the certificate chain does not need to include "Root".

Leaf + Branch are sent

This is the typical scenario. A client first checks "Leaf", then "Branch" and searches for "Root" in its own trusted data store. If "Root" is found, "Leaf" is a trust certificate (assuming all other data is valid). If "Root" is not found in the trusted data store, the certificate is not trusted.

Leaves + branches + roots are sent

That's what you called the "fullchain" scenario. The check works exactly the same way. If "Root" is found in the trusted data store, "Leaf" will be approved. If it is not found, then we will not trust.

Leaves + roots are sent

This scenario is most likely a configuration error. When "Leaf" is being checked, the program tries to check "Branch". Since this certificate is missing, verification fails, even if "Leaf" is valid. The fact that "Root" exists does not count for the verification process because the link between "Leaf" and "Root" can not be established.

The sheet is sent

This scenario is also a configuration error, but much more common than the previous one. The result is nevertheless the same, since "Leaf" depends on "Branch", which is missing.

You can send the complete certificate chain or omit the root certificate. This has no impact on security, although sending the root certificate is unnecessary and wastes bandwidth.