How TLS certificate chain is verified
(1) Does the verification of the chain end there or does it continue on until we get to D?
it depends on a certificate chaining engine (CCE) implementation. Different platforms have different implementations which may not support all recommended/mandatory validation logic described in RFC5280.
Certificate trust requires an end of chain point which is presented in a self-signed form (we call such certificate as Root CA certificate). Since certificate B is not self-signed (it is signed by C), the A-B-C-D chain is not trusted until C and D are fetched and validated. So, the answer to this question is: the chain continues validation to the root.
If we talk about Microsoft implementation (just an example which I'm familiar with), their CCE builds one or more chains (as much as possible) without performing immediate validation. They just fetch certificates and attempt to perform basic rules to bind each certificate at the correct place in the chain. When all chains are built, each of them are validated according to rules described in RFC5280. Once validated, there might be a case that there are multiple trusted and valid chains. CCE uses its own selection logic to select only one chain from a collection of chains.
When we talk about cetrtificate stores in browsers, they are used to:
- establish a trust to a particular trusted root CA (Trusted Root CA store). These certificates MUST be presented in a self-signed form. Otherwise, they cannot be used as chain endpoint and the trust is not established (even though, the intermediate certificate is installed in the root store).
- help CCE to quickly build the chain without having to download missing certificates from internet, because they are available locally. Some brwosers completely lack an ability to process
Authority Information Access
extension, which means that SSL client is able to fetch CA certificates only from two sources: SSL handshake, local certificate store.
(2) When a server presents it's certificate chain to the browser, does it present the root certificate D as well or does in only present A-B-C?
it depends on a web server implementation. A reference from RFC 5246 §7.4.2:
certificate_list This is a sequence (chain) of certificates. The sender's certificate MUST come first in the list. Each following certificate MUST directly certify the one preceding it. Because certificate validation requires that root keys be distributed independently, the self-signed certificate that specifies the root certificate authority MAY be omitted from the chain, under the assumption that the remote end must already possess it in order to validate it in any case.
RFC suggests that root CA certificate MAY or MAY NOT be sent to client. As the result, when developing SSL client you should expect that root certificate may be shipped along the chain. Two major web servers: Apache and IIS by default DO NOT send root certificate during SSL handshake.