Skip to content

IronRoot

Certificate Chain

IronRoot

Getting Started
Getting Started
Architecture
Architecture
- System Model
  System Model
- PKI Model
  PKI Model
  - Root CA Concept
  - Intermediate CA Concept
  - Certificate Chain Certificate Chain
    Table of contents
    
    Browser Trust
    
    Verify A Chain
  - Root CA
  - Intermediate CA
  - Multi-Root CA
  - Certificate Lifecycle
  - Root Rotation
- Platform Components
  Platform Components
- Reference
  Reference
Installation
Installation
- Install Methods
  Install Methods
- Configure
  Configure
  - Configuration
  - Local Development
- Runtime TLS
  Runtime TLS
  - Podman TLS Usage
- Lifecycle
  Lifecycle
  - Upgrades
  - Uninstall
Security
Security
- Bootstrap And Checks
  Bootstrap And Checks
  - Bootstrap Guide
  - Security Check
- Trust And CA Handling
  Trust And CA Handling
- Hardening
  Hardening
- Resilience
  Resilience
Observability
Observability
- Signals
  Signals
  - Traces
  - Metrics
  - Logs
- OpenTelemetry Stack
  OpenTelemetry Stack
  - OpenTelemetry
  - Collector
  - Prometheus
  - Tempo
  - Loki
  - Grafana
- Operations
  Operations
- Deployment Integrations
  Deployment Integrations
  - Kubernetes
  - Podman
  - Binary
Kubernetes
Kubernetes
- Deploy
  Deploy
  - Helm Installation
  - Values Reference
- Operate
  Operate
Airgap
Airgap
- Overview
- Offline Trust
  Offline Trust
- Artifact Movement
  Artifact Movement
- Operations
  Operations
  - Airgap Upgrades
  - Airgap Recovery
Operations
Operations
- Certificate Operations
  Certificate Operations
- Recovery
  Recovery
- Runbooks
  Runbooks
API & CLI
API & CLI
- API
  API
- CLI
  CLI
- Configuration
  Configuration
  - Configuration Reference
  - Environment Variables
Contributing
Contributing
- Start Here
  Start Here
  - Local Development
    Local Development
    
    Overview
    
    Up And Running
    
    Multi-Root CA Development
    
    RBAC Development
    
    Testing And Verification
    
    Troubleshooting
  - Platform Setup
- Contributor Workflow
  Contributor Workflow
- Specialized Development
  Specialized Development
  - Helm Development
  - OpenTelemetry Development
- Releases And Roadmap
  Releases And Roadmap
- Project Community
  Project Community

Certificate Chain¶

Stage: Alpha Status: Draft

IronRoot certificates are validated as a chain:

flowchart TD
  Root[Root CA<br/>trusted by OS/browser] --> Intermediate[Intermediate CA]
  Intermediate --> Leaf[Website or client certificate]
  Leaf --> Browser[Browser or workload verifier]

A verifier does not need the private key for any CA. It needs the public Root CA certificate in a trust store and the Intermediate certificate in the served chain.

Browser Trust¶

For local testing, install root-ca.crt or trust-bundle/root-ca.crt into the OS or browser trust store. The browser then validates:

The website certificate matches the DNS name.
The website certificate was signed by the Intermediate.
The Intermediate was signed by the trusted Root.
None of the certificates are expired.

Verify A Chain¶

ironroot-admin ca verify-chain \
  --root-cert ./pki/root/root-ca.crt \
  --intermediate-cert ./pki/intermediate/intermediate-ca.crt \
  --cert ./certs/tls.crt