I have installed private key (pem encoded) and public key certificate (pem encoded) on Amazon Load Balancer. However, when I check the SSL with site test tool, I get the following error:
Error while checking the SSL Certificate!! Unable to get the local
issuer of the certificate. The issuer of a locally looked up
certificate could not be found. Normally this indicates that not all
intermediate certificates are installed on the server.
I converted crt file to pem using these commands from this tutorial:
openssl x509 -in input.crt -out input.der -outform DER
openssl x509 -in input.der -inform DER -out output.pem -outform PEM
During setup of Amazon Load Balancer, the only option I left out was certificate chain. (pem encoded) However, this was optional. Could this be cause of my issue? And if so; How do I create certificate chain?
UPDATE
If you make request to VeriSign they will give you a certificate chain. This chain includes public crt, intermediate crt and root crt. Make sure to remove the public crt from your certificate chain (which is the top most certificate) before adding it to your certification chain box of your Amazon Load Balancer.
If you are making HTTPS requests from an Android app, then above instruction may not work for older Android OS such as 2.1 and 2.2. To make it work on older Android OS:
- go here
- click on "retail ssl" tab and then click on "secure site" > "CA Bundle for Apache Server"
- copy and past these intermediate certs into certificate chain box. just incase if you have not found it here is the direct link.
If you are using geo trust certificates then the solution is much the same for Android devices, however, you need to copy and paste their intermediate certs for Android.
Best Answer
concatenate the files provided manually, in the following order:
you can do this from a shell with the
catcommandcat site.com intermediate.crt ROOT.crt > site.chain.pemor copy/paste them, no whitespace between, make sure certificates are on different lines