30
Appendix
Create SSL Certificate Bundle
If several intermediate certificate files are received (as opposed to a single CA bundle), the
files should be merged into a bundle.
1. Confirm the files are in PEM format. When opened in a text editor, the content should look
similar to the format:
-----BEGIN CERTIFICATE1-----
sajaisjkajfsdvjJV;kjvd;Kjv;Js;FDJVKjv
-----END CERTIFICTATE1-----
If the content does not have these types of headers, convert to PEM format first. See
Appendix section SSL File Conversion Tools.
2. Append all intermediate files into a single text file (server.ca-bundle).
a. Determine the order in which the certificates will be listed in the bundle (order is
important). This is done by using keytool to review each certificate.
Use the following command to decode and view the content of each certificate:
keytool -v -printcert -file <certificate filename>
b. Start with the leaf certificate. Look at the Issuer to determine the certificate to be
listed first in the bundle.
keytool -v -printcert -file server.crt
Owner: CN=bcm.mydomain.edu, OU=ITS Servers & Apps, O=My
Organization,L=Somewhere, ST=NY, C=US
Issuer: CN=InCommon Server CA, OU=InCommon, O=Internet2, C=US
c. The first Intermediate Certificate’s Owner should match the leaf certificate’s Issuer.
keytool -v -printcert -file InCommonServerCA.pem
Owner: CN=InCommon Server CA, OU=InCommon, O=Internet2, C=US
Issuer: CN=AddTrust External CA Root, OU=AddTrust External TTP
Network, O=AddTrust AB, C=SE
d. The next Intermediate Certificate’s Owner should match the first Intermediate
certificate’s Issuer. In this case it is the Root certificate (which will always be listed
last).
keytool -v -printcert -file AddTrustUTNSGCCA.pem
Owner: CN=AddTrust External CA Root, OU=AddTrust External TTP
Network, O=AddTrust AB, C=SE
Issuer: CN=UTN - DATACorp SGC, OU=http://www.usertrust.com, O=The
USERTRUST Network, L=Salt Lake City, ST=UT, C=US
e. Create a new text file (bundle.crt) and append the certificate files in order.