Skip to content

Certificate Chain Management

Certificate Chain Management involves the handling and combination of Digital Certificate files to establish a secure chain of trust, typically for web servers^[400-devops-02-os-and-linux-basics-network-free-domain.md]. A complete chain ensures that a client (like a web browser) can verify the endpoint's certificate by linking it back to a trusted Root Certificate Authority (CA).

File Components

A standard certificate chain consists of two primary file types^[400-devops-02-os-and-linux-basics-network-free-domain.md]:

  • certificate.crt: The specific end-entity certificate for the domain^[400-devops-02-os-and-linux-basics-network-free-domain.md].
  • ca_bundle.crt: The bundle containing the intermediate certificates that link the domain certificate to the root CA^[400-devops-02-os-and-linux-basics-network-free-domain.md].
  • private.key: The private key corresponding to the certificate^[400-devops-02-os-and-linux-basics-network-free-domain.md].

Operations

Creating a Full Chain

For many server configurations, the server certificate and the CA bundle must be merged into a single file. This creates a "full chain" file that contains the domain's certificate followed by the intermediate certificates^[400-devops-02-os-and-linux-basics-network-free-domain.md].

cat certificate.crt ca_bundle.crt > full_chain.crt

Generating PKCS12 (.pfx) Archives

The certificate and private key can be bundled into a PKCS12 format file (often with a .pfx extension), which is commonly used in Java environments like Tomcat or Windows servers^[400-devops-02-os-and-linux-basics-network-free-domain.md]. This process incorporates the private key, the certificate, and the CA bundle into a single encrypted file^[400-devops-02-os-and-linux-basics-network-free-domain.md].

[OpenSSL](<./openssl.md>) pkcs12 -export -out tls.pfx -inkey private.key -in certificate.crt -certfile ca_bundle.crt

Configuration

In application server configurations, such as Apache Tomcat, the connector must be configured to point to the generated keystore file and define its type^[400-devops-02-os-and-linux-basics-network-free-domain.md].

<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
    maxThreads="150" scheme="https" secure="true"
    clientAuth="false" sslProtocol="TLS"
    keystoreFile="C:\Users\...\conf\tls.pfx"
    keystoreType="PKCS12"
    keystorePass="" />

Validation

When using services like Let's Encrypt, domain validation is often performed via an HTTP challenge. This requires the web server to expose a specific file at a standard path^[400-devops-02-os-and-linux-basics-network-free-domain.md].

  • Validation Path: /.well-known/pki-validation/[TOKEN].txt
  • Acme Challenge Path: /.well-known/acme-challenge/

Sources

^[400-devops-02-os-and-linux-basics-network-free-domain.md]