how is an SSL certificate chain bundle arranged?
I have 4 certificate files like this:
1.certum_certificate.crt
2.certum_certificate.pem
3.Intermediate_CA2.cer
4.Intermediate_CA.cer
5.Root_CA.cer
I put these files content by this order in a bundle file and I figured out that my SSL chain is incomplete.
How should I arrange them in bundle file?
In order to form the certificate chain, you need to know the trust order of your certificate in the chain.
Just append the content of the individual certificate in a correct order to form a single certificate chain file. The order of the chain starts with your server certificate at the beginning, then follow by the intermediate certificate(s) and end up with the root certificate.
For example, we have the following cert issuer chain
Then the content of the chain certificate file should be like this:
-----BEGIN CERTIFICATE-----
[Server Certificate]
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
[Intermediate certificate L1]
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
[Intermediate certificate L2]
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
[Root Certificate]
-----END CERTIFICATE-----
Back to your question, I assume that your certificate issue chain order is
certum_certificate <--(Issued by)-- Intermediate_CA <--(Issued by)-- Intermediate_CA2 <--(Issued by)-- Root_CA
Then your order is
(certum_certificate.crt content)
(Intermediate_CA.cer content)
(Intermediate_CA2.cer content)
(Root_CA.cer content)
What if I'm not so sure about my cert issue order?
If your certs file names are all mix up and you're not sure about the issuing order, just simply use openssl to view the certificate to reveal the issuer of this certificate.
For example
openssl x509 -noout -text -in 'Entrust Certification Authority - L1K.crt'
We can infer that this Entrust Certification Authority - L1K cert is issued by Entrust Root Certification Authority - G2.
- Setup Coolify with CloudFlared & SSL/TLS HTTPS
- Custom Security Provider works in fat jar but not in GraalVM native image while extracting PostgreSQL server certificates
- How to disable certain handshake features
- Misunderstood Secure Context of Web Crypto API?
- SSL Localhost Privacy error
- SSL_ERROR_NO_CYPHER_OVERLAP when using Tomcat, but works for Apache
- Does the TLS cert would require an common SAN
- Different .NET 8 runtime behaviour based on different SDK used
- Configure jax-ws in Glassfish not to supply client certificate in SSL handshake
- Handshake Failure: SSL Alert number 40
- 502 error with NGINX and Cloudflare - 2 servers
- Composer Curl error 60: SSL certificate problem: unable to get local issuer certificate
- SSL certificate problem: unable to get local issuer certificate AZURE DEVOPS
- Failed to find any PEM data in key
- WinRm - Cannot create a WinRM listener on HTTPS due to incorrect SSL certificate
- Configure SSRS for SSL
- IIS 7 Error "A specified logon session does not exist. It may already have been terminated." when using https
- OpenSSL error installing Ruby 2.1.x and 2.3.x on Archlinux with ruby-install/ruby-build
- ERR_ECH_FALLBACK_CERTIFICATE_INVALID error on Chrome (117.0.5938.132) on Windows
- cURL error 60: SSL certificate: unable to get local issuer certificate
- emsdk install fails with urlopen error [SSL: CERTIFICATE_VERIFY_FAILED]
- how is an SSL certificate chain bundle arranged?
- How to get Python requests to trust a self signed SSL certificate?
- What RSA key length should I use for my SSL certificates?
- FTPS (FTP-SSL) in Qt 4.6
- Error: Connections using insecure transport are prohibited while --require_secure_transport=ON in Mautic Docker container to Azure MySQL
- Self-signed certificate error when forcing SSL connecting to RDS PSQL
- WhatsApp Cloud API webhook verification fails: “The callback URL or verification token check failed”
- "no certificate or crl found" when supplying PEM file constructed from string
- Adding HSTS http headers on domain root during redirect to www subdomain in web.config