5

I manage an apache web server for a government site. The SSL cert will expired in a few weeks so they sent me a zip file with 3 intermediate certs and the ssl certificate (I have the private key from the csr generator and the crt file provided by gov't). I need to bundle the intermediate certs into one file for apache2.

Here are the 3 intermediate certs they sent me

Jan  1  2004 AAACertificateServices.crt
Nov  2  2018 SectigoRSADomainValidationSecureServerCA.crt
Mar 12  2019 USERTrustRSAAAACA.crt

In what order should I bundled the 3 certs because from reading from other links, the order does matter if the root is provided. Which one is the root?

I used an online ssl validator for the the 3 certs

AAACertificateServices.crt

Common Name: AAA Certificate Services
Organization: Comodo CA Limited
Locality: Salford
State: Greater Manchester
Country: GB
Valid From: December 31, 2003
Valid To: December 31, 2028
Issuer: AAA Certificate Services, Comodo CA Limited
Serial Number: 1 (0x1)

SectigoRSADomainValidationSecureServerCA.crt

Common Name: Sectigo RSA Domain Validation Secure Server CA
Organization: Sectigo Limited
Locality: Salford
State: Greater Manchester
Country: GB
Valid From: November 1, 2018
Valid To: December 31, 2030
Issuer: USERTrust RSA Certification Authority, The USERTRUST Network Write review of Sectigo
Serial Number: 7d5b5126b476ba11db74160bbc530da7

USERTrustRSAAAACA.crt

Common Name: USERTrust RSA Certification Authority
Organization: The USERTRUST Network
Locality: Jersey City
State: New Jersey
Country: US
Valid From: March 11, 2019
Valid To: December 31, 2028
Issuer: AAA Certificate Services, Comodo CA Limited Write review of Sectigo
Serial Number: 3972443af922b751d7d36c10dd313595

This has been a gray area for me since I've been using LetEncrypt and they automatically bundle the intermediate certs on to one file.

BioRod
  • 273
  • 3
  • 12

2 Answers2

6

The order is supposed to be the leaf cert first (the domain's cert), and then each cert that signs the one before it until it reaches the root cert. The "issuer" field basically says which entity signed that cert. The root being AAACertificateServices because it signs itself (issuer matches subject).

In this case it would be:

  1. leaf/domain cert
  2. SectigoRSADomainValidationSecureServerCA
  3. USERTrustRSAAAACA
  4. AAACertificateServices

For httpd before 2.4.8, make a file for 2,3,4 and use SSLCertificateChainFile. For httpd 2.4.8 or later make a single file with 1-4.

The root cert (#4 in this case) is optional to include in either case, normally recommended to leave out. Apparently including it can result in better client-side error messages for older Windows clients if the cert isn't trusted.

Rob Olmos
  • 2,220
  • 1
  • 15
  • 25
0

  • AAACertificateServices.crt is root certificate according to https://www.ssl.com/article/ssl-com-root-certificates/

  • SectigoRSAOrganizationValidationSecureServerCA is intermediate 1 or 2

  • USERTrustRSAAAACA is intermediate 1 or 2

  • leaf/domain cert is the (SSL certificate they provide for you)

The order that I used almost every time is root, intermediates and domain certificate:

Edit: Import all 3 into the already created keystore file (tomcat webserver).

Elshan
  • 99
  • 6
  • Then you have been usIng an incorrect order almost every time as the standard is : https://tools.ietf.org/html/rfc5246#section-7.4.2 *”The sender's certificate MUST come first in the list. Each following certificate MUST directly certify the one preceding it. Because certificate validation requires that root keys be distributed independently, the self-signed certificate that specifies the root certificate authority MAY be omitted from the chain, under the assumption that the remote end must already possess it in order to validate it in any case.”* – Bob Apr 09 '21 at 04:49
  • What's the sender's certificate means? Because I am using apache server most of the time. CSR generated by me, then keystore creating based on that, sending the CSR to the SSL authority(Godaddy, Comodo), after that, they will send the root, intermediate and domain certificate. Then I use the above order to install them into keystore file. – Elshan Apr 10 '21 at 05:55
  • Apache sends the certificate message to the client making a TLS connection and is the sender. (During the TLS handshake where the client and server negotiate ciphers and keys.) – Bob Apr 10 '21 at 07:16