How to include the whole Certificate Chain in a PEM SSL Certificate

There are a few reasons that your application server might require access to a full certificate chain.  In most cases we are uploading and importing certificates in PEM format.  For the purposes of this article we will consider PEM, x.509, and Base64 synonymous.  They are overlapping standards (think JSON vs YAML).  Different tools in the same process chain will refer to the same data by each of these conventions so for this article, just think of them as the same thing. With all this in mind, when given the choice, choose Base64 as your export format.

If you have certificates or key files that are not in PEM format then you may need to convert them.  This is pretty simple using OpenSSL.  If you are doing a lot with SSL, make sure you have OpenSSL configured on your security workstation.  I may show examples of using OpenSSL, but documenting it’s use is out of scope for this article.

Some nomenclature:
Root Certificate Authority:  The top level of the certificate signing chain.  (Often kept offline for security purposes)
Trusted Root Authority:  A CA that has been configured as “Trusted” on an SSL client.  It doesn’t matter is a cert is signed and by who if the client doesn’t trust the source.
Intermediate / Subordinate / Signing Authority:  A Certificate Authority which is authorized by a higher-level authority to sign certificates.  There can be multiple levels of Authorities.
Certificate Signing Request(CSR):  An request generated by a user or application that is encoded with the host details that are required by the certificate.  A private key is also generated at the time a CSR is created.
Certificate Key:  An encrypted Private Key file that is required to unlock an SSL certificate for use.

Certificate: A PEM formatted SSL certificate text looks like this:

—–BEGIN CERTIFICATE—–
MIIDkDCCAnigAwIBAgIQTuVOyQrH5olB+fnG7NW1VjANBgkqhkiG9w0BAQsFADBHMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxEzARBgoJkiaJk/IsZAEZFgNsYWIxGTAXBgNVBAMTEGxhYi1QRFgtREMtMDEtQ0EwHhcNMTkwMjIwMTcwODE4WhcNMzkwMjIwMTcxODE4WjBHMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxEzARBgoJkiaJk/IsZAEZFgNsYWIxGTAXBgNVBAMTEGxhYi1QRFgtREMtMDEtQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCwH8y2AFprKxti31lkPb0SCSyTPqE8ifusCLRYMXVwquUDASxcxBam9Ulwt3vVJ5ZW56pBF2R3pbN+BZXGheo1Zb+RWBJqr45O14NjTRTtdhqrE2Xfs0cye7
—–END CERTIFICATE—–

There, with all of that out of the way… Your application has requested that the certificate you provide contains the entire signing chain.  So what do you do?  In some cases you might be asked to supply the certificate and the chain separately.  In this case, you will still need to build the chain.  In most cases, you will be asked to provide the certificate and the chain in one PEM certificate file.

First you need to identify your certificate chain.  You can sometimes download the whole chain from your CA.  That chain may or may not be in PEM format and may need to be converted using OpenSSL.  For simplicity, let’s assume that you may have an easier method to get YOUR chain but I’ll show how to build the chain by hand.


Above we the the certificate chain for the SSL certificate issued for mysite.lab.local. The certificate was signed by lab-WDL-DC1-CA which is subordinate to lab-PDX-DC-01-CA. You can also call lab-WDL-DC1-CA an Intermediate CA.

Most of the time, an application like a web server will only need the certificate itself and the associated private key file. Sometimes the application will require a full chain. There are different reasons. The SSL certificate might be used for bi-directional communication and needs the full chain so it knows to trust other servers signed in the chain. Or the application might act as a signing authority itself and needs knowledge of the whole chain.

In any case, if you have to provide the whole chain, you are generally only given the option of uploading one PEM file. In that case, you will want to structure it in this way.

—–BEGIN CERTIFICATE—–
If you are including the server cert in the chain, it goes here
—–END CERTIFICATE—–
—–BEGIN CERTIFICATE—–
The last CA in the chain goes here
—–END CERTIFICATE—–
—–BEGIN CERTIFICATE—–
Intermediate / Subordinate CA’s go here, one after the other, ascending order
—–END CERTIFICATE—–
—–BEGIN CERTIFICATE—–
The Root CA Certificate goes here
—–END CERTIFICATE—–

So based on the image of the certificate chain above, a valid chain including the certificate would look like this.

—–BEGIN CERTIFICATE—–
MIIF1TCCBL2gAwIBAgITcQAAACz2nO0ua9rYBwABAAAALDANBgkqhkiG9w0BAQsFADBHMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxEzARBgoJkiaJk/IsZAEZFgNsYWIxGTAXBgNVBAMTEGxhYi1QRFgtREMtMDEtQ0EwHhcNMTkwMzA3MjMyMTMwWhcNMjEwMzA2MjMyMTMwWjCBjzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAldBMQwwCgYDVQQHzi7KK5j6hL4/fvccfbcjdB3TEwECtOmMVIZuycdslGs90ET9WxxOqsheQY0rUCL6hxD+gAAAAAAAAAJQVv/+qnW2hwQKAApEgghsYWItb2N1bYISbGFiLW9jdWcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9bGFiLERDPWxvY2FsP2NBQ
—–END CERTIFICATE—–
—–BEGIN CERTIFICATE—–
Tj1sYWItUERYLURDLTAxLUNBKDEpLENOPXBkeC1kYy0wMSxDTj1DRFAsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1sYWIsREM9bG9jYWw/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1dGlvblBvaW50MIHABggrBgEFBQcBAQSBszCBsDCBrQYIKwYBBQUHMAKGgaBsZGFwOi8vL0NOPWxhYi1QRFgtREMtMDEtQ0EsQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9bGFiLERDPWxvY2FsP2NBQ2VydGlmaWNhdGU/YmFzPAOI6gOgCWA8D9u677tURcgQfXuYOnve
—–END CERTIFICATE—–
—–BEGIN CERTIFICATE—–
MIIDkDCCAnigAwIBAgIQTuVOyQrH5olB+fnG7NW1VjANBgkqhkiG9w0BAQsFADBHMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxEzARBgoJkiaJk/IsZAEZFgNsYWIcxeLNihMSOLARu5/1gUZgAPucZJWvIRYBP9LOcjTUJPxvkX9pcFzswtzmdSU3sa7vr0lJhpA==ENsYXNzPWNSTERpc3RyaWJ1dGlvblBvaW50MIHABggrBgEFBQcBAQSBszCBsDCBrQYIKwYBBQUHMAKGgaBsZGFwOi8vL0NOPWxhYi1QRFgtREMtMDEtQ0EsQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9bGFiLERDPWxvY2FsP2NBQ2VydGlmaWNhdGU/Y
—–END CERTIFICATE—–

Advertisements

One thought on “How to include the whole Certificate Chain in a PEM SSL Certificate

Add yours

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Create a free website or blog at WordPress.com.

Up ↑

%d bloggers like this: