View previous topic :: View next topic |
Author |
Message |
James Cook -
Joined: 13 Oct 2018 Posts: 13 Location: Michigan USA
|
Posted: Wed Nov 15, 2023 6:32 pm Post subject: Installing an Intermediate Certificate |
|
|
Our site is running with a certificate installed and it works for all browsers except for Safari.
Running the URL through the checker at DigiCert shows:
TLS Certificate status cannot be validated
And
The server is not sending the required intermediate certificate.
We received two crt files from the certificate vendor. One is named to match our URL, the other is named DigiCertCA.crt
Do I do the full certificate installation for each one, or is there some other step to handle the Intermediate Certificate? _________________ Jim |
|
Back to top |
|
|
pkSML -
Joined: 29 May 2006 Posts: 955 Location: Michigan, USA
|
Posted: Fri Nov 17, 2023 1:06 pm Post subject: |
|
|
I'm guessing you just need to concatenate the two files into one.
When using Letsencrypt's certbot program and nginx, the SSL cert file used in the nginx config is 'fullchain.pem'.
Here are the files created by certbot:
Code: |
-rw-r--r-- 1 root root 1777 Nov 15 12:18 cert.pem
-rw-r--r-- 1 root root 3749 Nov 15 12:18 chain.pem
-rw-r--r-- 1 root root 5526 Nov 15 12:18 fullchain.pem
-rw------- 1 root root 1704 Nov 15 12:18 privkey.pem |
You'll notice the fullchain.pem file is the combined filesize of cert.pem & chain.pem (1777+3749=5526).
fullchain.pem is comprised of the contents of cert.pem and then chain.pem.
Here is the format of fullchain.pem:
Code: | -----BEGIN CERTIFICATE-----
MIIE8zCCA9ugAwIBAgISBBrHok1Kx6JnHREIO9jdli+/MA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
...
bFZJwJwesba+QknenPozfkzaMaxjqNG23RNocm60a+4itc4zGbvi1HyfZmL0Ez3R
CvKH0swKb8BVnbuAOtMXm2HkCU8R9hA=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
...
HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
...
he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
-----END CERTIFICATE----- |
If you certs are pem-encoded, just concatenate your domain's cert and DigiCert's cert. If they're of a different format, you'll need to use openssl to convert to pem format. (Just Google "convert cert to pem".) _________________ Stephen
Need a LitlURL?
http://CodeBin.yi.org |
|
Back to top |
|
|
|