(2023-05-29)
Creating Certificate Bundles With CA Intermediate Certificates
the order of certificates in the file is important. RFC 4346 for TLS 1.1 states:
This is a sequence (chain) of X.509v3 certificates. The sender's certificate must come first in the list. Each following certificate must directly certify the one preceding it.
Thus the order is:
- Your domain's certificate
- Vendor's intermediate certificate that certifies (1)
- Vendor's intermediate certificate that certifies (2)
…
n. Vendor's root certificate that certifies (n-1). Optional, because it should be contained in client's CA store.