What's My Chain Cert? By SSLMate

Did you know that when you install an SSL certificate, you have to install not only your site's certificate, but also one or more intermediate (a.k.a. chain) certificates? Failure to install the correct chain can cause certificate errors in browsers, driving visitors away from your site. To complicate matters, some browsers cache intermediate certificates, or download missing intermediates on-demand, meaning that an improperly-configured chain could work in some browsers but not others, making this an annoying problem to debug.

This site tests if your server is serving the correct certificate chain, tells you what chain you should be serving, and helps you configure your server to serve it.

Test Your Server Checks port 443 (HTTPS) by default. For a different port, specify it with the hostname like: example.com:993

Generate the Correct Chain The generated chain will include your server's leaf certificate, followed by every required intermediate certificate, optionally followed by the root certificate. Paste your certificate in the box below to generate the correct chain for it, based on the metadata embedded in the certificate. Include Root Certificate Or, enter the hostname of a server to generate the correct chain for its certificate: Include Root Certificate

Include the Root Certificate? You do not need to include the root certificate in the certificate chain that you serve, since clients already have the root certificate in their trust stores. Including the root is inefficient since it increases the size of the SSL handshake. A separate chain that includes the root certificate is sometimes used for other purposes, such as OCSP stapling. Such advanced configuration is beyond the scope of this guide, although the generator will generate such chains if you check the "Include Root Certificate" box.

Configure Your Server Note: some software requires you to put your site's certificate chain (e.g. example.com.chained.crt ) and your private key (e.g. example.com.key ) in separate files, while other software requires you to put them in the same file. You can generate the combined file ( example.com.combined.pem ) with a command such as: cat example.com.key example.com.chained.crt > example.com.combined.pem Choose your software: Apache nginx Lighttpd stunnel titus Dovecot 2 Postfix Prosody Contribute config templates Apache SSLEngine on SSLCertificateKeyFile /path/to/example.com.key SSLCertificateFile /path/to/example.com.chained.crt nginx ssl on; ssl_certificate_key /path/to/example.com.key; ssl_certificate /path/to/example.com.chained.crt; Lighttpd ssl.engine = "enable" ssl.pemfile = "/path/to/example.com.combined.pem" stunnel key = /path/to/example.com.key cert = /path/to/example.com.chained.crt titus key /path/to/example.com.key cert /path/to/example.com.chained.crt Dovecot 2 ssl_key = </path/to/example.com.key ssl_cert = </path/to/example.com.chained.crt Postfix smtp_tls_security_level = may smtpd_tls_security_level = may smtpd_tls_key_file = /path/to/example.com.key smtpd_tls_cert_file = /path/to/example.com.chained.crt Prosody ssl = { key = "/path/to/example.com.key"; certificate = "/path/to/example.com.chained.crt"; } Don't forget to restart your server software after changing its configuration!