How to combine various certificates into single .pem

apache-2.2consolidationssl-certificate

I've just finished reading over this great thread explaining the different SSL formats.

Now I'm essentially looking for the opposite of How to split a PEM file

There's 4 files I want to consolidate, originally created for Apache, I'm looking at files specified by

  • SSLCertificateFile
  • SSLCertificateKeyFile
  • SSLCertificateChainFile
  • SSLCACertificateFile

What I'm mostly curious about is the order of the files in the consolidated dereivative, is that important? EG. if I were to just cat them together in the order they appear above, into a .pem, would it be valid, or should they be ordered a specific way?

FYI, I'm doing this for sake of using these certs as a combined single .pem in SimpleSAMLphp.

Best Answer

The order does matter, according to RFC 4346.

Here is a quote directly taken from the RFC:

  certificate_list
    This is a sequence (chain) of X.509v3 certificates.  The sender's
    certificate must come first in the list.  Each following
    certificate must directly certify the one preceding it.  Because
    certificate validation requires that root keys be distributed
    independently, the self-signed certificate that specifies the root
    certificate authority may optionally be omitted from the chain,
    under the assumption that the remote end must already possess it
    in order to validate it in any case.

Based on this information, the server certificate should come first, followed by any intermediate certs, and finally the root trusted authority certificate (if self-signed). I could not find any information on the private key, but I think that should not matter because a private key in pem is easy to identify as it starts and ends with the text below, which has the keyword PRIVATE in it.

 -----BEGIN RSA PRIVATE KEY-----
 -----END RSA PRIVATE KEY-----
Related Topic