Chain of Trust

Certificate chain of trust

A hierarchy of trust begins with at least one certification authority—known as the root authority—that is trusted by all entities in the certificate chain. This can be an internal certification authority administrator, or an external company or organization that specializes in verifying identities and issuing certificates. The root authority then certifies other certification authorities—known as first-tier certification authorities—that can both issue certificates and certify additional or second-tier certification authorities.

This “hierarchy of trust” is shown in the following illustration:


The identity of the certification authority issuing a certificate is part of a certificate. This certification authority is known as the certificate’s issuer. When a certificate’s issuer is a tier 1 or tier 2 certification authority, the receiver of the certificate can determine whether the certificate’s issuer is certified as a valid certification authority by a certification authority at a level above it, and that the higher-level certification authority is certified as a valid certification authority by an even higher level certification authority. Thus it can be determined that a chain of trust exists between the lowest level certification authority and the root certification authority.

For example, in the above illustration, it can be verified that CA #4 was certified as a certification authority by CA #1, and that CA #1 was certified as a certification authority by the root CA. Thus, when a certificate from a lower-level certification authority is passed along with the encrypted message, information about all of the certificates in its chain of trust up to the root is transferred along with it.

To upload a certificate that includes a chain of trust:

  1. Obtain your certificate from the IDP and rename it INST_CODE.crt. NOTE: If copying the certificate from a web browser, make sure to right-click and select “View Source,” then copy from the source of the page, to make sure that the certificate format is copied correctly.
  2. Add the following to the beginning of the certificate:
    —–BEGIN CERTIFICATE—–and the following to the end of the certificate:
  3. Copy the idp_saml.jks file to a new file: alma_saml_INST_CODE.jks.
  4. Import your certificate into the new JKS file using the following command:
keytool -importcert -file INST_CODE.crt -keystore alma_saml_INST_CODE.jks -alias "idp saml_jks" -trustcacerts -storepass p5909206323797881374

This command should be performed in same directory in which the keytool is stored. Most computer do have this tool. You can search your local drive and find it.

  1. Open the INST_CODE.crt file. For example:

  1. Double-click each of the intermediate certificates (in the above example, TERENA and UTN). Each opens a separate certificate.

  1. Copy the intermediate certificate to a new .crt file
  2. For each certificate, repeat Step 4 to import the .crt files to the JKS under a new alias. For example, in the above illustration, there are two intermediate certificates:keytool -importcert -file TERENA.cer -keystore alma_saml_44MAN_INST.jks -alias “CA1” -trustcacerts – storepass p5909206323797881374
    keytool -importcert -file UTN-USER.cer -keystore alma_saml_44MAN_INST.jks -alias “CA2” -trustcacerts – storepass p5909206323797881374
  3. After you have performed the above procedure, the JKS file includes all the certificates of the trust chain. Upload the alma_saml_.jks file via the SAML profile, with “JKS file” option.