64

I've just finished reading over this great thread explaining the different SSL formats.

Now I'm essentially looking for the opposite of How to split a PEM file

There's 4 files I want to consolidate, originally created for Apache, I'm looking at files specified by

  • SSLCertificateFile
  • SSLCertificateKeyFile
  • SSLCertificateChainFile
  • SSLCACertificateFile

What I'm mostly curious about is the order of the files in the consolidated dereivative, is that important? EG. if I were to just cat them together in the order they appear above, into a .pem, would it be valid, or should they be ordered a specific way?

FYI, I'm doing this for sake of using these certs as a combined single .pem in SimpleSAMLphp.

Community
  • 1
quickshiftin
  • 2,025
  • 5
  • 27
  • 41
  • The order should be private key, intermediate certs, your certificate. – Zoredache Feb 07 '13 at 20:23
  • What about the CA, isn't that the root of the chain, and therefore it would go after the chain in the consolidated file? Or can it be omitted entirely? – quickshiftin Feb 07 '13 at 20:27
  • [Sounds like it's optional](http://stackoverflow.com/questions/1899983/difference-between-sslcacertificatefile-and-sslcertificatechainfile), I'll roll w/o it for now. – quickshiftin Feb 07 '13 at 20:49

2 Answers2

76

The order does matter, according to RFC 4346.

Here is a quote directly taken from the RFC:

  certificate_list
    This is a sequence (chain) of X.509v3 certificates.  The sender's
    certificate must come first in the list.  Each following
    certificate must directly certify the one preceding it.  Because
    certificate validation requires that root keys be distributed
    independently, the self-signed certificate that specifies the root
    certificate authority may optionally be omitted from the chain,
    under the assumption that the remote end must already possess it
    in order to validate it in any case.

Based on this information, the server certificate should come first, followed by any intermediate certs, and finally the root trusted authority certificate (if self-signed). I could not find any information on the private key, but I think that should not matter because a private key in pem is easy to identify as it starts and ends with the text below, which has the keyword PRIVATE in it.

 -----BEGIN RSA PRIVATE KEY-----
 -----END RSA PRIVATE KEY-----
Community
  • 1
Daniel t.
  • 9,061
  • 1
  • 32
  • 36
18

Here is the command to combine using cat

cat first_cert.pem second_cert.pem > combined_cert.pem
chicks
  • 3,639
  • 10
  • 26
  • 36
tidileboss
  • 197
  • 1
  • 2
  • 7
    It's an answer how to concatenate any two certs, but but not how to consolidate/concatenate certs for Apache. – asdmin Jun 21 '16 at 06:41
  • 1
    This is not really to answer the question, the accepted answer is good enough. I just provide additional informations on how to concatenate, as the original poster talked about using cat, I thought it might help others. – tidileboss Jul 04 '16 at 15:37
  • 11
    Your answer does not indicate *what order* the files should be concatenated in (you just have "first_cert.pem" and "second_cert.pem"). The correct answer would be `cat my_site.pem ca_chain.pem my_site.key > combined_cert.pem` – Doktor J Feb 23 '17 at 19:09
  • @DoktorJ Most of the reliable sources say that the private key comes first, not last in the combined PEM file. – pabouk - Ukraine stay strong May 25 '22 at 15:14