By SSLMate
Did you know that when you install an SSL certificate, you have to install not only your site's certificate, but also one or more intermediate (a.k.a. chain) certificates? Failure to install the correct chain can cause certificate errors in browsers, driving visitors away from your site. To complicate matters, some browsers cache intermediate certificates, or download missing intermediates on-demand, meaning that an improperly-configured chain could work in some browsers but not others, making this an annoying problem to debug. Plus, when you renew your certificate, you might need to install new intermediate certificates.
This site tests if your server is serving the correct certificate chain, tells you what chain you should be serving, and helps you configure your server to serve it.
Checks port 443 (HTTPS) by default. For a different port, specify it with the hostname like: example.com:993
The generated chain will include your server's leaf certificate, followed by every required intermediate certificate, optionally followed by the root certificate.
You do not need to include the root certificate in the certificate chain that you serve, since clients already have the root certificate in their trust stores. Including the root is inefficient since it increases the size of the SSL handshake.
A separate chain that includes the root certificate is sometimes used for other purposes, such as OCSP stapling. Such advanced configuration is beyond the scope of this guide, although the generator will generate such chains if you check the "Include Root Certificate" box.
Note: some software requires you to put your site's certificate chain
(e.g. example.com.chained.crt
) and your private key
(e.g. example.com.key
) in separate files, while other
software requires you to put them in the same file.
You can generate the combined file (example.com.combined.pem
) with a command such as:
cat example.com.key example.com.chained.crt > example.com.combined.pem
Don't forget to restart your server software after changing its configuration!
Cert Spotter monitors your entire SSL certificate portfolio and alerts you about security and availability problems like incorrect certificate chains and unauthorized or expiring certificates.