SSL Certificate Chain Resolver

SSL certificate chain resolver

When you purchase an SSL certificate from a certificate authority, in most cases it is signed not by the root certificate of this authority, but by an intermediate certificate(s). The path from your certificate through those intermediates and up to the root is called a certificate chain. While browsers can resolve those chains by downloading certificates from sources specified in them, the whole chain except for the root cert is better to be included in the response your server sends during TLS connection.

Certificate authorities usually tell you which intermediate certs you should include. For example, here’s what COMODO sends to you when you purchase a PositiveSSL certificate:

PositiveSSL certificate chain

To install them on your server, you’ll have to concatenate the chain in the proper order. The result should look like this:

COMODO PositiveSSL Intermediate Certificates

(Note that the root certificate should not be in the concatenated chain, as it is already included in the browser’s root CA store.)

The Script

cert-chain-resolver is a little script that will download and concatenate in the proper order the certificate chain for you, given the certificate.

Installing cert-chain-resolver

The script is available from GitHub. You can download it using the browser or with wget utility:


or you can use git to fetch the repository:

git clone

The script depends on OpenSSL and curl, which are probably already installed on your *nix system.

Using the SSL certificate chain resolver script

After you received your certificate from CA, run:

./ input.pem output.pem

where input.pem is your certificate, and output.pem will be the generated chain, which you’ll install on your server.

(Note that as of this writing doesn’t work in OS X Yosemite — there is an open issue about it, which I hope will be fixed soon. The OS X issue has been fixed)

Project information and source code

Author: Jan Žák (@zakjan)

2 thoughts on “SSL certificate chain resolver”

Comments are closed.