Last Updated: February 25, 2016
· destructuring

Building an SSL certificate chain

SSL certificates usually have one or more intermediates, forming a chain to a trusted CA bundle included in your OS or browser. With nginx, you have to concatenate the SSL cert and intermediates in their ASCII PEM format.

Find the SSL cert's issuer hash:

openssl x509 -noout -in $SSL_CERT -issuer_hash

Find the intermediate cert by checking it's hash, which should match the above.

openssl x509 -noout -in $INTR_CERT -hash

I name intermediate certs with their hash in the filename to map hashes to certs.

Repeat this for the intermediate certs until you reach a trusted root in your OS or browser CA bundles.

Now finding the intermediate certs to check is a pain. There's no standard way to ask for its location from an SSL cert, and many providers don't make it easy to search or download.