SSL certificate chains, intermediate certs

  • Written by
    Herman Bos
  • Published on

Most browser trusted SSL certificates work with intermediate certificates nowadays. The CA only ships the root certificates for inclusion with the browsers and because they do this your certificate can’t be verified if you don’t include the intermediate certificates in your webserver configuration.

chain order

So you’re in the bottom in a chain of trust. Your certificate is signed by a certificate which is signed by another certificate and so on. Until you end up with the root certificate which should sign itself.

This is actually also the order in which your certificate is verified by the server and clients. If you mess up the order then it usually fails and SSL related errors are not the most intuitive. Hence this post.

building your pem file

  1. Private key (can also be in a separate file, depends on service or personal preference)
  2. Certificate you got from your CSR
  3. Intermediate certificate 2
  4. Intermediate certificate 1
  5. Root certificate

Confirm that you did well

certtool (gnutls-bin package in ubuntu).

certtool -e --infile yourchain.pem


openssl verify yourchain.pem

This one actually does not work for me. If someone can enlighten me why it throws me the error below I can update it here.

error 20 at 0 depth lookup:unable to get local issuer certificate


###Check remotely openssl s_client -connect -showcerts

It looks like an error but this return code is the right one:

Verify return code: 19 (self signed certificate in certificate chain)

Back to overview Newer post: webserver ssl configuration cheatsheet Older post: brief / dbase backup bonanza