OpenSSL logo

How to include the whole certificate chain in your .cer, .crt or .pem certificate file?

3 min read.

Haha, another one of those “should’ve known it was this easy” in the books! This article explains how to include the whole certificate chain (so your “user certificate” with all the “intermediary certificates” and optionally, but not as recommended, the root certificate) in your PEM-formatted certificate. Because sometimes you just need to combine 5 certificates you’ve just successfully stolen from your own website using a script!


Table of Contents

You might have already guessed it, but yes, I’m still (again) working with some AKS deployments 😂 Not a week goes by without learning something new about the beast. And that’s all good! The day I stop learning is the day I stop growing. And sometimes it’s nice to learn that things are more simple than you’d have expected, like in this case. 😁


This guide will presume you already have a bunch of certificates stashed somewhere in base64-encoded

Okay, so this wasn’t rocket science. Just took me a moment to verify this actually works because you can’t use a browser to do that (a browser will just magically figure out the intermediate certificates even if they’re missing) – but it really is as simple as just stashing all of the certificates in one file. That file can be a .pem, .cer, .crt or basically whatever your server or service wants – but the basic idea is, that it’ll contain the base64-encoded, PEM-formatted certificates all in one file. Essentially, they’re just copy-pasted one after another, but I’ll explain it in more detail below.

Obviously, you could do this with cat (if you’re a basher) or Get-Content | Set-Content (if you’re PoSHer), but I’ll explain the process in notepad. Probably more simple that way :) My script to steal certificates from a public website already executes similar steps with PowerShell, if you’re interested.

The order of the certificates doesn’t seem to matter for actual use in browsers or for securing API calls, but for OpenSSL the “last” certificate in the chain needs to be the first in the file – the tool refuses to analyze it properly any other way!

Time needed: 5 minutes.

How to combine multiple x509 certificates together?

  1. Create a new file for your new certificate

    You’ll need a new file for your new certificate! Name it something like my-certificate-chain.cer and leave it open in a text editor (like notepad).

  2. Find your “client” or “user” certificate file

    Now you’ll need the certificate that’s presented to users.

    Technically speaking, the order of the certificates doesn’t matter. But if you want to use a tool like OpenSSL to work with your certs in the future, you’ll save yourself some trouble by making sure the “last” certificate in the chain is the first in the file :)

    So you’ll need to start with the final certificate – often called “client” or “user” cert. It’s the one with your actual URL in it if you take a look at its info with openssl x509 -in certificate.crt -text -noout or a similar command.

    Open the file in a text editor (such as notepad) and copy the whole contents (including the rows with “—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–“).

  3. Get the intermediary certificate(s)

    Now we’ll need to get the intermediary certificates – the members of the chain between the final “user” certificate and the original root certificate.

    The order of the intermediary certificates really doesn’t matter. As long as none of them is the first one (because, as said, OpenSSL will get confused if the first certificate it encounters is an intermediary).

    Open these files up in a text editor one by one, and copy the contents (again, including the rows like “—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–“) into your new certificate file!

  4. Leave the root certificate out

    The root certificate does not need to be in the file (everyone inspecting your certificates for authenticity should have access to it already). Leave it out (for performance reasons).

I’m not going to lie. That wasn’t THAT complicated. Writing the process down in steps was more complicated than actually doing it. And the best part is that it worked.

Sometimes the simple solution IS the right one.

Something unclear? Did it not work for you? Having trouble telling intermediaries apart from the user/client certificate? Has your Root Authority excommunicated you and you have no way to renew your certificates?

Except for the last one, let me know in the comments -section below and let’s see if I can make the guide more clear 😀


0 0 votes
Article Rating
Notify of

Inline Feedbacks
View all comments