The certificate chain is very important for connecting devices to find out if the ssl certificate is created by a trusted authority. Some connecting browsers / devices / software / ... will accept a chain which isn´t in the correct order so everything would look fine. However for some Android devices the correct chain order is important or a connection will fail. But how to create such a certificate for your Webserver?
- Download XCA and install it
- Download OpenSSL and install it
After that is done do the following:
1.) Create a empty file (C:\temp\cert-chain.txt) on your PC and past the following inside it:
(Your Primary SSL certificate from C:\temp\your_domain_name.crt)
(Your Intermediate certificate from C:\temp\TheIntermediateCA.crt)
(Your Root certificate part from C:\temp\TheTrustedRoot.crt)
2.) Now replace the content inside the brackets with your certificates (which you can export via XCA; PEM txt format). The order above is VERY important so do not mix it!
2.) Export the private key (unencrypted in text format) with XCA from your certificate and store it inside C:\temp\server.pemkey
3.) Now merge everything together as pkcs12 (filename extension for PKCS #12 files is .p12 or .pfx). To do that open a CMD (run as admin) and perform:
openssl pkcs12 -export -inkey C:\temp\server.pemkey -in C:\temp\cert-chain.txt -password pass:ABCD -out C:\temp\certificate(chain_and_key).pfx
4.) Your PFX file is now ready to be used