CertSimple will be shutting down on January 30 2020. Read the announcement here.

Help and FAQ ▸ Combining server and intermediate SSL/TLS certificates

How do I combine my certificate and the intermediate into a single file?

First thing first - what's an intermediate cert?

CAs aren't allowed to issue end-user certs directly trusted by the root certs in your browser and OS, so they issue certs from intermediates (changing the intermediates every few months and keeping the root certs offline). With CertSimple, 'DigiCertCA.crt' is the intermediate cert. You should definitely include the intermediate, as some browsers may have it cached, but not all, and if they don't have it cached they won't be able to work out that your site is trusted.

How do you combine them? You can combine PEM files (sometimes .pem, or .crt) together with a text editor (cutting and pasting) or on the command line:

In Unix:

cat example_com.crt DigiCertCA.crt > example_com-combined.crt

In Windows:

Get-Content example_com.crt, DigiCertCA.crt | Set-Content example_com-combined.crt

Remember: your certificate goes first, then the intermediate. As the nginx docx mention:

The server certificate must appear before the chained certificates in the combined file:

Or from the TLS spec itself

This is a sequence (chain) of certificates. The sender's certificate MUST come first in the list. Each following certificate MUST directly certify the one preceding it.