Intermediate Certificates The "Standard Format" for CRT request files and public signed certificates is the "Base64 X509" format which is accepted by most servers and browsers. To chain certificates, append them into a single file starting with your site certificate first, next the intermediates in the order they are chained. $cat yourcert.crt intermediate.crt >certificate.crt -------------------------------------------------------------------------------- The following ia extracted from a KB Article from Barracuda Networks: In addition to root CA certificate verification, AsyncOS supports the use of intermediate certificate verification. Intermediate certificates are certificates issued by a Trusted Root CA which are then used to create additional certificates effectively creating a chained line of trust. For example, a certificate may be issued by godaddy.com who, in turn, is granted the rights to issue certificates by a Trusted Root CA. The certificate issued by godaddy.com must be validated against godaddy.com's private key as well as the Trusted Root CA's private key. If after uploading your SSL certificate you see the error message "Error The uploaded certificate is invalid. Discarding it.", you may be using an intermediary SSL certificate. The two most widely trusted SSL certificate vendors are VeriSign and Equifax. If you obtained your certificate through GoDaddy, DigiCert, or any other SSL certificate vendor, you will need to obtain as many intermediate certificates as necessary to relate your SLL certificate back to the root certificates of either VeriSign or Equifax. Once you have the intermediate certificates handy, create a new text file and paste all of the contents of each certificate into that text file, one after another. Regardless of the file extension, each certificate file should be a text file; the contents are usually a bunch of text preceded and followed by a series of dashes. The order in which they are pasted into the new file does not matter. The extension of the new amalgamated file does not matter either. -------------------------------------------------------------------------------- Thawte Intermediate Certificate Support In order for the SGC SuperCert to be authenticated correctly to all browsers the Intermediate Certificate (thawte SGC CA ) must be installed on the server. The SGC SuperCert is signed by the thawte SGC CA Intermediate Certificate which is in turn signed by the Verisign Class 3 Public Primary CA Root Certificate (Root Certificate > Intermediate Certificate > issued Certificate). Because the Intermediate Certificate is not shipped with any browser and is therefore untrusted, you have to install both the issued Certificate and the Intermediate Certificate on the server so that whenever an SSL session is invoked the server will present the Certificate chain (Intermediate Certificate > issued Certificate) to the browser and the browser can validate the complete chain right to the root issuer which is included in the browser and trust the Certificate. -------------------------------------------------------------------------------- Example of a chained CRT file (certificate.crt) -----BEGIN CERTIFICATE----- MIIErTCCBBagAwIBAgIQAoXPMQbfxylF5X60+oq0ETANBgkqhkiG9w0BAQUFADCB ujEfMB0GA1UEChMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazEXMBUGA1UECxMOVmVy aVNpZ24sIEluYy4xMzAxBgNVBAsTKlZlcmlTaWduIEludGVybmF0aW9uYWwgU2Vy dmVyIENBIC0gQ2xhc3MgMzFJMEcGA1UECxNAd3d3LnZlcmlzaWduLmNvbS9DUFMg SW5jb3JwLmJ5IFJlZi4gTElBQklMSVRZIExURC4oYyk5NyBWZXJpU2lnbjAeFw0w ODAxMTUwMDAwMDBaFw0wOTAxMTQyMzU5NTlaMIG9MQswCQYDVQQGEwJVUzEQMA4G A1UECBMHQWxhYmFtYTEPMA0GA1UEBxQGTW9iaWxlMSgwJgYDVQQKFB9CcmV0dCBS b2JpbnNvbiBHdWxmIENvcnBvcmF0aW9uMQswCQYDVQQLFAJJVDEzMDEGA1UECxQq VGVybXMgb2YgdXNlIGF0IHd3dy52ZXJpc2lnbi5jb20vcnBhIChjKTA1MR8wHQYD VQQDFBZtYWlsLmJyZXR0cm9iaW5zb24uY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GN ADCBiQKBgQC91gJtthe+XXQ/Cgj6dn5/dk73AJA9fX/dDmvcdJt2Uy84HcRuq3v5 kv9rwGpIL0YOk1TDp59MI5Ev+u0Bxid9SEVp1Lii1SEdye/yyY4Tnayquwwf9j+x 32+kb4O9ITCjLqTFpNF6Ck2Cw/uISqFikzgvoodRumcK3T31qSndWQIDAQABo4IB rTCCAakwCQYDVR0TBAIwADALBgNVHQ8EBAMCBaAwRAYDVR0gBD0wOzA5BgtghkgB hvhFAQcXAzAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20v cnBhMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9TVlJJbnRsLWNybC52ZXJpc2ln bi5jb20vU1ZSSW50bC5jcmwwKAYDVR0lBCEwHwYIKwYBBQUHAwEGCCsGAQUFBwMC BglghkgBhvhCBAEwcQYIKwYBBQUHAQEEZTBjMCQGCCsGAQUFBzABhhhodHRwOi8v b2NzcC52ZXJpc2lnbi5jb20wOwYIKwYBBQUHMAKGL2h0dHA6Ly9TVlJJbnRsLWFp YS52ZXJpc2lnbi5jb20vU1ZSSW50bC1haWEuY2VyMG4GCCsGAQUFBwEMBGIwYKFe oFwwWjBYMFYWCWltYWdlL2dpZjAhMB8wBwYFKw4DAhoEFEtruSiWBgy70FI4myms SweLIQUYMCYWJGh0dHA6Ly9sb2dvLnZlcmlzaWduLmNvbS92c2xvZ28xLmdpZjAN BgkqhkiG9w0BAQUFAAOBgQAkZj+SUbwsWphE7MEohGqZJVtBzuvZVCcbaq23Ff9s iNk7cIno8wnNUINLR6B3LFY7cuL1U6PwBovHoqutmb0PEYBeTEnvjaYSoltZLIAw Buo8c2Rc4nxAESXX7AlQEKH29cp4omaXNdIQvNQyHEjsTXWqZ9mmL3dEOVTTobdB 7Q== -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIDgzCCAuygAwIBAgIQJUuKhThCzONY+MXdriJupDANBgkqhkiG9w0BAQUFADBf MQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsT LkNsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkw HhcNOTcwNDE3MDAwMDAwWhcNMTExMDI0MjM1OTU5WjCBujEfMB0GA1UEChMWVmVy aVNpZ24gVHJ1c3QgTmV0d29yazEXMBUGA1UECxMOVmVyaVNpZ24sIEluYy4xMzAx BgNVBAsTKlZlcmlTaWduIEludGVybmF0aW9uYWwgU2VydmVyIENBIC0gQ2xhc3Mg MzFJMEcGA1UECxNAd3d3LnZlcmlzaWduLmNvbS9DUFMgSW5jb3JwLmJ5IFJlZi4g TElBQklMSVRZIExURC4oYyk5NyBWZXJpU2lnbjCBnzANBgkqhkiG9w0BAQEFAAOB jQAwgYkCgYEA2IKA6NYZAn0fhRg5JaJlK+G/1AXTvOY2O6rwTGxbtueqPHNFVbLx veqXQu2aNAoV1Klc9UAl3dkHwTKydWzEyruj/lYncUOqY/UwPpMo5frxCTvzt01O OfdcSVq4wR3Tsor+cDCVQsv+K1GLWjw6+SJPkLICp1OcTzTnqwSye28CAwEAAaOB 4zCB4DAPBgNVHRMECDAGAQH/AgEAMEQGA1UdIAQ9MDswOQYLYIZIAYb4RQEHAQEw KjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL0NQUzA0BgNV HSUELTArBggrBgEFBQcDAQYIKwYBBQUHAwIGCWCGSAGG+EIEAQYKYIZIAYb4RQEI ATALBgNVHQ8EBAMCAQYwEQYJYIZIAYb4QgEBBAQDAgEGMDEGA1UdHwQqMCgwJqAk oCKGIGh0dHA6Ly9jcmwudmVyaXNpZ24uY29tL3BjYTMuY3JsMA0GCSqGSIb3DQEB BQUAA4GBAAgB7ORolANC8XPxI6I63unx2sZUxCM+hurPajozq+qcBBQHNgYL+Yhv 1RPuKSvD5HKNRO3RrCAJLeH24RkFOLA9D59/+J4C3IYChmFOJl9en5IeDCSk9dBw E88mw0M9SR2egi5SX7w+xmYpAY5Okiy8RnUDgqxz6dl+C2fvVFIa -----END CERTIFICATE-----