This site uses cookies and other tracking technologies to make possible your usage of the website, assist with navigation and your ability to provide feedback, analyse your use of our products and services, assist with our promotional and marketing efforts, and provide better user experience.

By using the website, you agree to our Privacy policy

Accept and continue

Report a bug

Cancel
99
How-to 5 min read September 30, 2019

How to configure the chain of SSL certificates and why it is necessary

An SSL certificate is required when switching to the HTTPS protocol, which provides a secure connection and user data protection. Using SSL provides for the confirmation of a domain name when connecting to a browser. For a number of devices and applications, a domain certificate is not enough — you must configure the certificate chain.

What is a chain of certificates

Installing an SSL certificate is an important step when switching to the secure protocol HTTPS — it ensures the safety of personal data. Such a website causes more trust among users. Also, the security of a web resource can affect its position in the search results.

As a rule, a single certificate is sufficient to encrypt the information sent between the visitor's browser and the server. However, some resources require greater reliability and multi-level protection. For example, a banking resource involves large financial transactions. In this case, an SSL certificate is required, which contains not only the certificate for the domain but the certificate chain (CA Bundle).

The SSL certificate chain includes certificates of guarantors confirming the validity of the document as a whole. The CA Bundle structure is as follows:
1
Root certificate.
2
Certificates of intermediaries (Intermediate).
Each certificate in the chain has an electronic digital signature, linking it to the certificate one step below. Root CA is the top link in the certificate hierarchy. Clarification of CA (Certificate Authority) means that certificates are issued by a certification authority that confirms the authenticity of the encryption keys with this document.
SSL certificate chain scheme

How to set up an SSL certificate chain

The structure of the chain links depends on the type of certificate. As a rule, this sequence can be obtained along with a domain certificate by e-mail or downloaded on the website of the SSL provider that issued the certificate. In this case, the guarantor is a certification authority. The next step is to configure the SSL chain. There are two ways to do this.

Create a text document

To do this, place the certificate chain as a list in a text document. What the CA Bundle looks like can be seen in the example below — certificates with the .crt extension are placed in the specified sequence:

  • CARoot.crt
  • Intermediate1.crt
  • Intermediate2.crt
  • Intermediate3.crt
  • domain.crt

The CARoot.crt file here is the root certificate; the Intermediate file bundle acts as intermediaries, domain.crt is a domain certificate. There can be many guarantors in the chain. The main task is to ensure that all links in the chain are digitally linked to each other.

The text file with the certificate chain should be saved as domain.ca-bundle.

Use the command line

In this line, you need to list the intermediary certificates in order and end the sequence by specifying the domain.ca-bundle file name.

Errors in setting up the certificate chain

The server certificate chain is incomplete

Sometimes you can get a signal that the certificate chain is broken or incomplete. This, as a rule, indicates a problem with intermediate certificates — their absence in the chain, incorrect sequence, expiration of one of the certificates.

You can check the chain settings using online services. For example, SSL Shopper or SSL Checker.
The server's certificate chain is incomplete and the signers are not registered
To fix the error, you need to export each intermediate certificate in a chain and associate the Intermediate / chain with the root certificate. A correctly configured certificate chain will be a signal for the browser that the website can be trusted.

Failed to validate the certificate chain

Another common mistake is the inability to build a certificate chain. This signals an internal error and is often associated with a lack of a valid root certificate. The solution to this problem is to install the root certificate of the Certification Authority.
Error signing data: Unable to build certificate chain for trusted root center

Conclusion

A chain of certificates will be an additional way to confirm the reliability of a resource. Using the file structure, acting as guarantor, you can confirm the validity of the SSL certificate.

Setting up a chain and checking the correctness of its operation will expand the possibilities of using a web resource in various applications. Special online services will help you quickly identify errors in the chain.
This article is a part of Serpstat's "Site Audit" tool
SEO Audit in Serpstat
Audit all the site or page in one click. A complete list of errors, sorted by severity, ways to resolve them and recommendations. Any frequency of verification and automatic email reports.
Run Site Audit

Learn how to get the most out of Serpstat

Want to get a personal demo, trial period or bunch of successful use cases?

Send a request and our expert will contact you ;)

Rate the article on a five-point scale

The article has already been rated by 0 people on average out of 5
Found an error? Select it and press Ctrl + Enter to tell us

Share this article with your friends

Sign In Free Sign Up

You’ve reached your query limit.

Or email
Forgot password?
Or email
Back To Login

Don’t worry! Just fill in your email and we’ll send over your password.

Are you sure?

Awesome!

To complete your registration you need to enter your phone number

Back

We sent confirmation code to your phone number

Your phone Resend code Queries left

Something went wrong.

Contact our support team
Or confirm the registration using the Telegram bot Follow this link
Please pick the project to work on

Personal demonstration

Serpstat is all about saving time, and we want to save yours! One of our specialists will contact you and discuss options going forward.

These may include a personal demonstration, a trial period, comprehensive training articles & webinar recordings, and custom advice from a Serpstat specialist. It is our goal to make you feel comfortable while using Serpstat.

Name

Email

Phone

We are glad of your comment
Upgrade your plan

Upgrade your plan

Export is not available for your account. Please upgrade to Lite or higher to get access to the tool. Learn more

Sign Up Free

Спасибо, мы с вами свяжемся в ближайшее время

Invite
View Editing

E-mail
Message
Optional
E-mail
Message
Optional

You have run out of limits

You have reached the limit for the number of created projects. You cannot create new projects unless you increase the limits or delete existing projects.

I want more limits