What's My Chain Cert?

By SSLMate

Did you know that when you install an SSL certificate, you have to install not only your site's certificate, but also one or more intermediate (a.k.a. chain) certificates? Failure to install the correct chain can cause certificate errors in browsers, driving visitors away from your site. To complicate matters, browsers cache chain certificates, meaning that an improperly-configured chain could work in some browsers but not others, making this an annoying problem to debug.

This site tests if your server is serving the correct certificate chain, tells you what chain you should be serving, and helps you configure your server to serve it.

Test Your Server

Checks port 443 (HTTPS) by default. For a different port, specify it with the hostname like: example.com:993

Generate the Correct Chain

Paste your certificate in the box below to generate the correct chain for it, based on the metadata embedded in the certificate. How does this work?

Or, enter the hostname of a server to generate the correct chain for its certificate:

Include the Root Certificate?

You do not need to include the root certificate in the certificate chain that you serve, since clients already have the root certificate in their trust stores. Including the root is inefficient since it increases the size of the SSL handshake.

A separate chain that includes the root certificate is sometimes used for other purposes, such as OCSP stapling. Such advanced configuration is beyond the scope of this guide, although the generator will generate such chains if you check the "Include Root Certificate" box.

Configure Your Server

Note: some software requires you to put your site's certificate (e.g. example.com.crt) and your chain certificates (e.g. example.com.chain.crt) in separate files, while other software requires you to put your chain certificates after your site's certificate in the same file.

You can generate the combined file (example.com.chained.crt) with a command such as:

cat example.com.crt example.com.chain.crt > example.com.chained.crt

Choose your software: Contribute config templates

Apache

SSLEngine on

SSLCertificateKeyFile /path/to/example.com.key

SSLCertificateFile /path/to/example.com.crt

SSLCertificateChainFile /path/to/example.com.chain.crt

nginx

ssl on;

ssl_certificate_key /path/to/example.com.key;

ssl_certificate /path/to/example.com.chained.crt;

Lighttpd

ssl.engine = "enable"

ssl.pemfile = "__COMBINED_PATH__"

ssl.ca-file = "/path/to/example.com.chain.crt"

stunnel

key = /path/to/example.com.key

cert = /path/to/example.com.chained.crt

titus

key /path/to/example.com.key

cert /path/to/example.com.chained.crt

Dovecot 2

ssl_key = </path/to/example.com.key

ssl_cert = </path/to/example.com.chained.crt

Postfix

smtp_tls_security_level = may

smtpd_tls_security_level = may

smtpd_tls_key_file = /path/to/example.com.key

smtpd_tls_cert_file = /path/to/example.com.chained.crt

Prosody

ssl = {

key = "/path/to/example.com.key";

certificate = "/path/to/example.com.chained.crt";

}

Don't forget to restart your server software after changing its configuration!

A Better Way to Buy and Manage SSL Certs

SSLMate lets you buy SSL certs from the command line. SSLMate saves you time and effort by automating away the error-prone tedium of CSR generation, certificate chain assembly, and renewals.