Reconstructing an SSL Certificate Chain Using the Browser

4th June 2023

Quite often, when downloading a new SSL certificate from your provider, you'll find it only includes the certificate that relates to your domain. However; a certificate doesn't exist in isolation, it is part of a chain that links back to higher authorities. Using the single certificate will work, but some browsers will complain and if you run the SSL Server Test on SSL Labs (which you definitely should), you'll see a message about the chain being incomplete.

The certificate you have downloaded, the one that relates to your domain, is the last link in the chain. The first step in this chain will be a root CA (certificate authority) certificate, which ships with the browser ("in trust store") so isn't required. What's missing are any intermediate certificates that complete the chain between the two. On the internet you'll find websites that offer to generate these intermediate certificates, but there's no need - you can export them straight from your browser.

Firefox (as of v128)

  1. Click the padlock icon next to the website's URL in the address bar.
  2. Click the Connection Secure section of the drop-down and then the More information link.
  3. On the right-hand side of the popup window there will be a button saying View Certificate that will open a new browser tab with more information about the details of the certificate.
  4. Scroll down to the Miscellaneous section of this tab to where you'll see Download links.
  5. Click the PEM (chain) link to initiate the download.

Chrome (as of v126)

  1. Click the 'settings' icon just to the left of the website's URL in the address bar.
  2. Click the Connection is secure section of the drop-down and then the Certificate is valid link.
  3. Select the Details tab of the popup window and click the Export button in the bottom-right.
  4. Choose the Base64-encoded ASCII, certificate chain format and then click save.

And if you don't love me now, You will never love me again...

This will download a .pem file (Firefox) or .cer file (Chrome) with the full certificate chain, which will look something like this;

-----BEGIN CERTIFICATE-----
YOUR DOMAIN CERTIFICATE
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
INTERMEDIATE CERTIFICATE
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
ROOT CA CERTIFICATE
-----END CERTIFICATE-----

However; there's one more step in the process. As this is the full chain, it includes the root certificate authority (CA) certificate. If you include the full chain as it is everything will work, but now SSL Labs will now complain about the chain issue "contains anchor". Although this isn't a security issue, they consider it to be a fault because it isn't necessary and increases the latency in the handshake process.

All you need to do to resolve this is remove the certificate from the bottom of the file. Replace the certificate on the server with our updated chain file and you should no longer see any certificate issues on the SSL Labs test!