Installing an Intermediate Certificate

 
Post new topic   Reply to topic    Aprelium Forum Index -> SSL/Certificates
View previous topic :: View next topic  
Author Message
James Cook
-


Joined: 13 Oct 2018
Posts: 13
Location: Michigan USA

PostPosted: Wed Nov 15, 2023 6:32 pm    Post subject: Installing an Intermediate Certificate Reply with quote

Our site is running with a certificate installed and it works for all browsers except for Safari.

Running the URL through the checker at DigiCert shows:
TLS Certificate status cannot be validated
And
The server is not sending the required intermediate certificate.

We received two crt files from the certificate vendor. One is named to match our URL, the other is named DigiCertCA.crt

Do I do the full certificate installation for each one, or is there some other step to handle the Intermediate Certificate?
_________________
Jim
Back to top View user's profile Send private message
pkSML
-


Joined: 29 May 2006
Posts: 952
Location: Michigan, USA

PostPosted: Fri Nov 17, 2023 1:06 pm    Post subject: Reply with quote

I'm guessing you just need to concatenate the two files into one.

When using Letsencrypt's certbot program and nginx, the SSL cert file used in the nginx config is 'fullchain.pem'.

Here are the files created by certbot:

Code:

-rw-r--r-- 1 root root 1777 Nov 15 12:18 cert.pem
-rw-r--r-- 1 root root 3749 Nov 15 12:18 chain.pem
-rw-r--r-- 1 root root 5526 Nov 15 12:18 fullchain.pem
-rw------- 1 root root 1704 Nov 15 12:18 privkey.pem


You'll notice the fullchain.pem file is the combined filesize of cert.pem & chain.pem (1777+3749=5526).

fullchain.pem is comprised of the contents of cert.pem and then chain.pem.

Here is the format of fullchain.pem:

Code:
-----BEGIN CERTIFICATE-----
MIIE8zCCA9ugAwIBAgISBBrHok1Kx6JnHREIO9jdli+/MA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
...
bFZJwJwesba+QknenPozfkzaMaxjqNG23RNocm60a+4itc4zGbvi1HyfZmL0Ez3R
CvKH0swKb8BVnbuAOtMXm2HkCU8R9hA=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
...
HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
...
he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
-----END CERTIFICATE-----


If you certs are pem-encoded, just concatenate your domain's cert and DigiCert's cert. If they're of a different format, you'll need to use openssl to convert to pem format. (Just Google "convert cert to pem".)
_________________
Stephen
Need a LitlURL?


http://CodeBin.yi.org
Back to top View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    Aprelium Forum Index -> SSL/Certificates All times are GMT + 1 Hour
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB phpBB Group