Chain Completion

Next, the peer certificate's chain, or "pedigree" of issuer certificates, is established. The chain consists of the certificate's issuer certificate (if any), followed by that issuer's issuer certificate (if any), etc. up through a root or self-signed certificate. Such issuer certificates are generally CA (Certificate Authority) certificates, as opposed to the leaf (server or client) certificate itself, which is generally not a CA. A certificate's chain may be provided by the peer itself (e.g. via the sslcertificatechain or SSL Certificate Chain File settings on the peer), and/or it may be automatically completed locally from trusted certificates. In any event, the chain is constructed and verified locally by looking for each chain certificate's issuer certificate.