We use cookies to make Serpstat better. By clicking "Accept cookies", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. Learn more

Report a bug

Cancel
3129
How-to 6 min read

How to configure the chain of SSL certificates and why it is necessary

An SSL certificate is required when switching to the HTTPS protocol, which provides a secure connection and user data protection. Using SSL provides for the confirmation of a domain name when connecting to a browser. For a number of devices and applications, a domain certificate is not enough — you must configure the certificate chain.

What is a chain of certificates

Installing an SSL certificate is an important step when switching to the secure protocol HTTPS — it ensures the safety of personal data. Such a website causes more trust among users. Also, the security of a web resource can affect its position in the search results.

As a rule, a single certificate is sufficient to encrypt the information sent between the visitor's browser and the server. However, some resources require greater reliability and multi-level protection. For example, a banking resource involves large financial transactions. In this case, an SSL certificate is required, which contains not only the certificate for the domain but the certificate chain (CA Bundle).

The SSL certificate chain includes certificates of guarantors confirming the validity of the document as a whole. The CA Bundle structure is as follows:
1
Root certificate.
2
Certificates of intermediaries (Intermediate).
Each certificate in the chain has an electronic digital signature, linking it to the certificate one step below. Root CA is the top link in the certificate hierarchy. Clarification of CA (Certificate Authority) means that certificates are issued by a certification authority that confirms the authenticity of the encryption keys with this document.
SSL certificate chain scheme

How to set up an SSL certificate chain

The structure of the chain links depends on the type of certificate. As a rule, this sequence can be obtained along with a domain certificate by e-mail or downloaded on the website of the SSL provider that issued the certificate. In this case, the guarantor is a certification authority. The next step is to configure the SSL chain. There are two ways to do this.

Create a text document

To do this, place the certificate chain as a list in a text document. What the CA Bundle looks like can be seen in the example below — certificates with the .crt extension are placed in the specified sequence:

  • CARoot.crt
  • Intermediate1.crt
  • Intermediate2.crt
  • Intermediate3.crt
  • domain.crt

The CARoot.crt file here is the root certificate; the Intermediate file bundle acts as intermediaries, domain.crt is a domain certificate. There can be many guarantors in the chain. The main task is to ensure that all links in the chain are digitally linked to each other.

The text file with the certificate chain should be saved as domain.ca-bundle.

Use the command line

In this line, you need to list the intermediary certificates in order and end the sequence by specifying the domain.ca-bundle file name.

Errors in setting up the certificate chain

The server certificate chain is incomplete

Sometimes you can get a signal that the certificate chain is broken or incomplete. This, as a rule, indicates a problem with intermediate certificates — their absence in the chain, incorrect sequence, expiration of one of the certificates.

You can check the chain settings using online services. For example, SSL Shopper or SSL Checker.
The server's certificate chain is incomplete and the signers are not registered
To fix the error, you need to export each intermediate certificate in a chain and associate the Intermediate / chain with the root certificate. A correctly configured certificate chain will be a signal for the browser that the website can be trusted.

Failed to validate the certificate chain

Another common mistake is the inability to build a certificate chain. This signals an internal error and is often associated with a lack of a valid root certificate. The solution to this problem is to install the root certificate of the Certification Authority.
Error signing data: Unable to build certificate chain for trusted root center

Conclusion

A chain of certificates will be an additional way to confirm the reliability of a resource. Using the file structure, acting as guarantor, you can confirm the validity of the SSL certificate.

Setting up a chain and checking the correctness of its operation will expand the possibilities of using a web resource in various applications. Special online services will help you quickly identify errors in the chain.
This article is a part of Serpstat's "Site Audit" tool
SEO Audit in Serpstat" title = "How to configure the chain of SSL certificates and why it is necessary 16261788346350" />
Audit all the site or page in one click. A complete list of errors, sorted by severity, ways to resolve them and recommendations. Any frequency of verification and automatic email reports.
Run Site Audit

Learn how to get the most out of Serpstat

Want to get a personal demo, trial period or bunch of successful use cases?

Send a request and our expert will contact you ;)

Rate the article on a five-point scale

The article has already been rated by 2 people on average 1 out of 5
Found an error? Select it and press Ctrl + Enter to tell us