To get recognized as a valid certificate, not only your own certificate but also the complete chain has to be presented by the web server. While there is only one valid order of the certificates in the chain, the order of installation can be different from web server to web server. Both our download pages and the email your certificate was supplied with, will list the correct order of your intermediate and root certificates. In most cases the actual root certificate from the CA doesn't have to be installed, since nowadays this is usually already installed and marked as trusted on the client initiating the connection.
Apache up to 2.4.8
SSLCertificateFile /path/to/your/certificate.crt SSLCertificateChainFile /path/to/your/intermediate-bundle.crt
The intermediate-bundle can be created with your favorite texteditor, and contains 1 or 2 of the supplied intermediate certificates in the following order:
-----BEGIN CERTIFICATE----- code Intermediate certificate -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- code 2e Intermediate certificate (when required) -----END CERTIFICATE-----
Apache from version 2.4.8 and up or Nginx
Nginx and Apache 2.4.8 and greater uses for the SSLCertificateFile or ssl_certificate directive the following full-chain notation;
-----BEGIN CERTIFICATE----- code van uw SSL Certificate -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- code 2e Intermediate certificate (when required) -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- code Intermediate certificate -----END CERTIFICATE-----
This file can be created with the cat command:
cat www_sslcertificaten_nl.crt 2e_intermediate.crt 1e_intermediate.crt > certificate_bundle.crt
For other webservers like those found in routers or VPN appliances it is often required to generate the chain down from the root, importing one by one the CA certificates, until as last importing your own certificate. This allows the chain to be validated on every import, since the issuing certificate has been imported before.
A Windows server does not require you to define the chainorder, but requires you to have the intermediate certificates installed. This will happen automatically when using the .p7b file when completing the request, or can be installed after the initial installation from the Root certificates folder from the supplied ZIP file. This manual describes the installation procedure.