How do I work out my certificate chain order manually?

Solution 1:

The X509v3 Authority Key Identifier in the openssl output for the child key will match the X509v3 Subject Key Identifier for the signing key.

For example, for this site's SSL cert and its parent certificate:

# openssl x509 -text -noout -in subject.pem
...
        Subject: C=US, ST=NY, L=New York, O=Stack Exchange, Inc., CN=*.stackexchange.com
...
            X509v3 Authority Key Identifier:
                keyid:51:68:FF:90:AF:02:07:75:3C:CC:D9:65:64:62:A2:12:B8:59:72:3B
            X509v3 Subject Key Identifier:
                5A:C1:42:63:C2:62:13:B3:9D:94:84:AA:32:1E:17:CB:6D:A3:86:7B

# openssl x509 -text -noout -in parent.pem
...
        Subject: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA
...
            X509v3 Subject Key Identifier:
                51:68:FF:90:AF:02:07:75:3C:CC:D9:65:64:62:A2:12:B8:59:72:3B
            X509v3 Authority Key Identifier:
                keyid:B1:3E:C3:69:03:F8:BF:47:01:D4:98:26:1A:08:02:EF:63:64:2B:C3

51:68:FF:90:AF:02:07:75:3C:CC:D9:65:64:62:A2:12:B8:59:72:3B is what establishes on the child cert what cert signed it, you should be able to use that to find the correct authority certificates.

Solution 2:

It is important to note that the intermediate certificates are not specific to your domain or certificate. So, every certificate issued that is like yours, has the exact same intermediate certificates.

You can think of them a bit like the routing number on your checks. The routing number is needed, but really says more about your bank than it does about you. Your account number, or your certificate in this case, is what is unique to you.

Because of the generic nature of the intermediate certificates there are websites like this one:

https://www.ssl2buy.com/wiki/ssl-intermediate-and-root-ca-bundle

That have all of the intermediate certificates pre-bundled (and in the correct order) for different certificate issuers.