When you purchase an SSL certificate from a certificate authority, in most cases it is signed not by the root certificate of this authority, but by an intermediate certificate(s). The path from your certificate through those intermediates and up to the root is called a certificate chain. While browsers can resolve those chains by downloading certificates from sources specified in them, the whole chain except for the root cert is better to be included in the response your server sends during TLS connection.
Certificate authorities usually tell you which intermediate certs you should include. For example, here’s what COMODO sends to you when you purchase a PositiveSSL certificate:
To install them on your server, you’ll have to concatenate the chain in the proper order. The result should look like this:
(Note that the root certificate should not be in the concatenated chain, as it is already included in the browser’s root CA store.)
cert-chain-resolver is a little script that will download and concatenate in the proper order the certificate chain for you, given the certificate.
The script is available from GitHub. You can download it using the browser or with
or you can use
git to fetch the repository:
git clone https://github.com/zakjan/cert-chain-resolver.git
The script depends on OpenSSL and curl, which are probably already installed on your *nix system.
Using the SSL certificate chain resolver script
After you received your certificate from CA, run:
./resolve.sh input.pem output.pem
where input.pem is your certificate, and output.pem will be the generated chain, which you’ll install on your server.
Note that as of this writing The OS X issue has been fixed)
resolve.sh doesn’t work in OS X Yosemite — there is an open issue about it, which I hope will be fixed soon.
Project information and source code
Author: Jan Žák (@zakjan)
Hi, the OSX issue have been resolved. Thanks for you detailed post 🙂
Thank you, Jan! I have updated the article.
Comments are closed.