Forum Discussion

smp_86112's avatar
smp_86112
Icon for Cirrostratus rankCirrostratus
Dec 15, 2011

Managing SSL Certificate Bundles

We are about changing SSL vendors, and it appears their root is already in the build-in "ca-bundle". However, their intermediates are not. I wanted to get some feedback on the right way to manage thes...
config
design
Kevin_Davies_40's avatar
Kevin_Davies_40
Icon for Nacreous rankNacreous
Oct 25, 2016

Just in case someone looks up this post again. You never add the root CA certs. The whole point is the client already has root certificates that it trusts. You job is to create a chain of trust between the root CA and your SSL certificate. So you need to include any intermediate certificates that achieve this.

Root CA (client must have this already)
  +---> Intermediate CA (you need to supply this)
           +--- Your SSL Certificate (your SSL certificate)

So your certificate is signed by the Intermediate CA, make sure you have the right one as their can be many, and the Intermediate CA is signed by the Root CA the client already trusts. This is how we create the chain of trust for SSL.