0

SSL2Buy offers me three files: mysite.ssl2.crt, mysite.ssl2.intermediate, and mysite.ssl2.key. I don't believe the intermediate file counts as a certificate chain, but I don't know how to find the certificate chain. Does anybody know?

The error I'm getting from AWS is this (when I try to put the intermediate file as the certificate chain): Unable to validate certificate chain. The certificate chain must start with the immediate signing certificate, followed by any intermediaries in order. The index within the chain of the invalid certificate is: -1 (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedCertificate; Request ID: <redacted>)

My site is already up with proper SSL. I'm just trying to provide the certificate chain to API Gateway.

Ben Berman
  • 359
  • 5
  • 14
  • I've tried all of the intermediates from https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&id=INFO1548 – Ben Berman Sep 25 '16 at 15:06
  • I've also tried `openssl s_client -host mysite.com -port 443 -prexit -showcerts`. I'm not entirely sure which part of this I should be copy/pasting in, but I've tried multiple variants and none have worked so far. – Ben Berman Sep 25 '16 at 15:10
  • 1
    *"I don't believe the intermediate file counts as a certificate chain"* Yes, that's exactly what it is, but some CAs give you the chain in the wrong order (I have no idea why, I assume some web servers also expect them in the wrong order, so they are being "helpful") but it's relatively easy to sort it out. How many certificates are in the intermediate file? (You can determine this with your eyeballs by counting the `BEGIN`/`END` blocks in the file). – Michael - sqlbot Sep 25 '16 at 18:45
  • @Michael-sqlbot There was only one. I managed to get this working by remembering I wanted to put this all behind my CDN anyways, so I'm just using the default gateway as the origin and having my CDN do the routing for me. :P Not very helpful for future people, but I did try all of these answers and comments and none of them worked, for whatever reason. – Ben Berman Sep 29 '16 at 21:18

2 Answers2

0

As mentioned in comments, typically the intermediate certificate is exactly what you need to provide. In some circumstances you will need to provide both the intermediate certificate plus an additional chain.

You can use open ssl verify to verify the chain before attempting to upload it to API Gateway.

Community
  • 1
  • 1
Bob Kinney
  • 8,870
  • 1
  • 27
  • 35
0

A certificate chain contains issuing CAs which directly trusts upon on the root certificate. SSL certificate chain refers an intermediate certificate to root and you should install the root CA bundle that offered by your certificate issuer. You can find different CAs bundle here that contains root and intermediate certificates using below link, in this way you can provide the certificate chain to API gateway.

https://www.ssl2buy.com/wiki/ssl-intermediate-and-root-ca-bundle/

Jason Parms
  • 346
  • 3
  • 6