How to Generate SSL Certificate Chain for Nginx

I’m using Comodo Certificate, you will get these files from their email:

  • Root CA Certificate – AddTrustExternalCARoot.crt
  • Intermediate CA Certificate – UTNAddTrustSGCCA.crt
  • Intermediate CA Certificate – ComodoUTNSGCCA.crt
  • Intermediate CA Certificate – EssentialSSLCA_2.crt
  • Your EssentialSSL Certificate – www_example_com.crt

Correct order:

  1. Your EssentialSSL Certificate – www_example_com.crt
  2. Intermediate CA Certificate – EssentialSSLCA_2.crt
  3. Intermediate CA Certificate – ComodoUTNSGCCA.crt
  4. Intermediate CA Certificate – UTNAddTrustSGCCA.crt
  5. Root CA Certificate – AddTrustExternalCARoot.crt

You can create a chained certificate required by Nginx:

cat www_example_com.crt EssentialSSLCA_2.crt ComodoUTNSGCCA.crt UTNAddTrustSGCCA.crt AddTrustExternalCARoot.crt > example.com.chained.crt

In fact, you can only need the first three certificates: most systems have their root CA.

cat www_example_com.crt EssentialSSLCA_2.crt ComodoUTNSGCCA.crt  > example.com.chained.crt

Update Mar 21, 2015:

Comodo updated their certificates filename, so the correct order now is:

  1. Your EssentialSSL Certificate – www_example_com.crt
  2. Intermediate CA Certificate – COMODORSADomainValidationSecureServerCA.crt
  3. Intermediate CA Certificate – COMODORSAAddTrustCA.crt
  4. Root CA Certificate – AddTrustExternalCARoot.crt
cat www_example_com.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt > example.com.chained.crt

Related Posts

  1. HTTPS on UniFi Cloud Key, with Remote Access Support, the Easy Way
  2. Nginx Notion Proxy
  3. Export Website RSA Private Key for Apache Server Certificate from OS X Server
  4. Using S/MIME With Apple Mail
  5. Using SSL Certificates with HAProxy – Servers for Hackers