Did you know that when you install an SSL certificate, you have to install not only your site's certificate, but also one or more intermediate (a.k.a. chain) certificates? Failure to install the correct chain can cause certificate errors in browsers, driving visitors away from your site. To complicate matters, browsers cache chain certificates, meaning that an improperly-configured chain could work in some browsers but not others, making this an annoying problem to debug.
This site tests if your server is serving the correct certificate chain, tells you what chain you should be serving, and helps you configure your server to serve it.
Checks port 443 (HTTPS) by default. For a different port, specify it with the hostname like:
Paste your certificate in the box below to generate the correct chain for it, based on the metadata embedded in the certificate. How does this work?
Or, enter the hostname of a server to generate the correct chain for its certificate:
You do not need to include the root certificate in the certificate chain that you serve, since clients already have the root certificate in their trust stores. Including the root is inefficient since it increases the size of the SSL handshake.
A separate chain that includes the root certificate is sometimes used for other purposes, such as OCSP stapling. Such advanced configuration is beyond the scope of this guide, although the generator will generate such chains if you check the "Include Root Certificate" box.
Note: some software requires you to put your site's certificate
and your chain certificates (e.g.
example.com.chain.crt) in separate files, while other
software requires you to put your chain certificates after
your site's certificate in the same file.
You can generate the combined file (
example.com.chained.crt) with a command such as:
cat example.com.crt example.com.chain.crt > example.com.chained.crt
Don't forget to restart your server software after changing its configuration!
SSLMate lets you buy SSL certs from the command line. SSLMate saves you time and effort by automating away the error-prone tedium of CSR generation, certificate chain assembly, and renewals.