TL;DR
Yes, you can combine multiple X.509 certificates into a single file. This is often needed for servers that require a chain of trust (intermediate certificates) alongside the server certificate. The order matters: your server certificate first, followed by any intermediate certificates, and finally the root certificate (though including the root is usually unnecessary). Use OpenSSL to concatenate them.
How to Concatenate X509 Certificates
- Understand Certificate Order
- Your server certificate: This is the one for your specific domain. It goes first.
- Intermediate certificates: These link your server certificate back to a trusted root authority. Include them in order, from closest to furthest away from your server certificate.
- Root certificate: While sometimes included, it’s generally not required as browsers usually have these already. Including it can sometimes cause issues.
- Using OpenSSL (Recommended)
- Verify the Combined Certificate
- Check File Format: Ensure the combined file is in PEM format (starts with
-----BEGIN CERTIFICATE-----). You can open it in a text editor to verify. - Inspect the Chain: Use OpenSSL to inspect the certificate chain:
openssl s_client -showcerts -connect yourdomain.com:443Replace
yourdomain.comwith your actual domain name. This command will show you the certificates presented by the server, including any intermediate certificates. - Update Your Server Configuration
- Apache: In your virtual host configuration file, update the
SSLCertificateFiledirective to point to the new combined certificate file.SSLCertificateFile /path/to/combined_certificate.pem - Nginx: In your server block configuration file, update the
ssl_certificatedirective:ssl_certificate /path/to/combined_certificate.pem; - Restart Your Server
OpenSSL is a powerful command-line tool for working with X.509 certificates and cryptography. It’s available on most Linux distributions, macOS, and Windows (via Cygwin or WSL).
cat certificate1.pem intermediate1.pem intermediate2.pem > combined_certificate.pemReplace certificate1.pem with your server certificate file, intermediate1.pem and intermediate2.pem with your intermediate certificates (if any), and combined_certificate.pem with the desired name for the combined file.
Once you have the combined certificate file, update your web server (e.g., Apache, Nginx) to use it instead of the individual server certificate. The exact configuration steps vary depending on your server software.
After updating the configuration, restart your web server for the changes to take effect.