I'm trying to setup SSL on my AWS ELB, but I am thus far unable to figure out what goes into the "Certificate Chain" field. I receive the following error:
Unable to validate certificate chain. The certificate chain must start
with the immediate signing certificate, followed by any intermediaries
in order. The index within the chain of the invalid certificate is: -1
I have my private key & certificate in PEM format and uploaded. If I use these without the "optional" chain, it works untrusted. I have been poking around, trying to find an answer on what to put into the field, and this answer suggests downloading the gd_bundle-g2.crt – I have done this and converted it into PEM by running openssl x509 -inform PEM -in gd_bundle-g2.crt
but the error remains. When I downloaded my certificate from GoDaddy, I was given a ZIP with my SSL certificate along with gdig2.crt
and gd_bundle-g2-g1.crt
. I have tried using these files in various combinations, and alone, but again, nothing.
What certificates go into the Certificate Chain, in what order, and in what format?
Best Answer
So the problem was several mistakes along the way for me. First, I took the
-----BEGIN CERTIFICATE-----
section from the PEM generated from mykeytool
keystore. Second, I was trying to convert thegd_bundle-g2-g1.crt
file - it already contained exactly what I needed to use.To start from the beginning - I used Digicert's Java Keytool to generate my commands to get my keystore and CSR using
keytool
. From there, I got a wildcard SSL certificate through GoDaddy and downloaded my certificate which was in a ZIP file along withgdig.crt
andgd_bundle-g2-g1.crt
. After this, I follwed to steps to get the private key from my keystore following this StackOverflow answer. However, thefoo.pem
file from this command required one more command,openssl rsa -in foo.pem -out foo.rsa
to get the final form accepted by the AWS panel.Now to fill in the SSL form on AWS:
foo.rsa
file from the previous step.<your_cert>.crt
file provided by GoDaddygd_bundle-g2-g1.crt
file provided by GoDaddyThis has given me a successful SSL certificate setup for my AWS ELB, with the proper certificate path, giving me a trusted certificate.