SSL Trust Chain and Intermediary Certificates

There are two types of certificate authorities (CAs), root CAs and intermediate CAs. In order for a certificate to be trusted, and often for a secure connection to be established at all, that certificate must have been issued by a CA that is included in the trusted store of the device that is connecting.

If the certificate was not issued by a trusted CA, the connecting device (e.g., a web browser) will then check to see if the certificate of the issuing CA was issued by a trusted CA, and so on until either a trusted CA is found (at which point a trusted, secure connection will be established) or no trusted CA can be found (at which point the device will usually display an error).

To use an intermediary certificate, before uploading you need to combine the files. Although some browsers will accept certificates in an incorrect order it is important to us to ensure they are in the correct order. That is:

  • The Primary Certificate - your_domain_name.crt

  • The Intermediate Certificate

  • The Root Certificate

This should look something like:

-----BEGIN CERTIFICATE-----
(Your Primary SSL certificate=)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Intermediate certificate)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Root certificate)
-----END CERTIFICATE-----