Ensuring secure connections over the internet is critical for any website owner. Transport Layer Security (TLS) certificates are critical to securing these connections. TLS is a protocol or communication rule that allows computer systems to talk to each other safely on the internet. TLS certificates allow web browsers to identify and establish encrypted network connections to websites using the SSL/TLS protocol. However, managing TLS certificates can be complex, and certificate problems can lead to downtime.

Today, we're excited to announce a new feature at Netlify that addresses a prevalent issue in TLS certificate management: the mishandling of certificate chains. Our latest enhancement in certificate chain validation ensures that TLS certificates are correctly configured and secure. Before delving into how Netlify solves this problem, let's first understand what a certificate chain is and why it's essential.

Understanding Certificate Chains

A certificate chain is a series of digital certificates that link a website's SSL/TLS certificate to a trusted Certificate Authority (CA). It's akin to a digital identity verification process, where each certificate vouches for the legitimacy of the subsequent one, ultimately leading back to a root CA certificate.

Here's a simplified breakdown of the components within a certificate chain:

1. SSL/TLS Certificate: This certificate is associated directly with the website's domain. It serves as the starting point of the chain.
2. Intermediate Certificate(s): Any certificate positioned between the SSL/TLS certificate and the root certificate is known as an intermediate certificate. These certificates are issued by intermediate CAs and validate the previous certificate in the chain.
3. Root CA Certificate: The certificate at the end of the chain, also known as the root CA certificate, is self-signed. It represents the highest level of trust in the certificate hierarchy and is explicitly trusted by browsers and other TLS clients.

The Problem: Incomplete Certificate Chains

The issue, as the name implies, happens when a chain is incomplete, and the client can't establish a full chain from the server's certificate to one of its trusted root certificate authorities. This means it can't validate the server, and thus, the connection fails.

This often occurs when only the SSL/TLS certificate is provided without including the necessary intermediate certificates. Modern browsers like Chrome and Firefox attempt to make it work by comparing it to the lists of Nodes of intermediate chains, which is far from an ideal solution.

At Netlify, we've witnessed firsthand the repercussions of incomplete certificate chains. Our customers sometimes upload the leaf certificate as the CA chain, which, while accepted, breaks the site in production. This common mistake can result in frustrating experiences for website owners and visitors.

Netlify's Solution: Strengthened Validation

To address this challenge, we've implemented enhanced validation measures in our platform. Our system now actively guards against cases where the CA chain matches the leaf certificate precisely, preventing the acceptance of incomplete chains. By being more thorough in our validations, we aim to save website administrators from the hassle and risks associated with misconfigured TLS certificates.

Conclusion

Netlify is committed to empowering website owners with robust security features and streamlined workflows. Our latest enhancement in certificate chain validation reflects this dedication by ensuring that TLS certificates are correctly configured and secure. Netlify’s server-side configuration of SSL/TLS protocols and accepted ciphers are aligned with industry best practices. Website owners can use a service like Qualys SSL Labs or similar tools to test their Netlify-deployed site.

With Netlify, you can have peace of mind knowing that your website's connections are encrypted and authenticated with complete certificate chains.