What SSL Certificate works WITHOUT an intermediate certificate?

We have a need to deploy a server app that has its own SSL certificate built in. This will get rolled to an unknown number of servers, that will go up and down.

We can generate this certificate using any CA, but in the end, we will just have the 509 certificate pfx file (issued by godaddy or whatever CA). We can have in hand the intermediate certs, but this web server is simple, and only lets us specify the pfx file.

We won't be able to distribute or install intermediate certificates.

The app is a C# app that runs on Win2008 and higher.

What methods are there to solve this?

-- Is there a certificate that is reliable enough for browsers to trust it without intermediate certificates?

-- or ?


Solution 1:

You can add additional certs from the trust chain to a PKCS #12 file using openssl.

For example, to include the trust chain you could use the following command:

openssl pkcs12 -export -in input.pfx -out bundle.pfx -CAfile allcacerts.crt -chain

This would attempt to include the entire cert trust chain in your output pfx. You may need to include -passin <input password> and -passout <output password> for password requirements. You can force the inclusion of any particular certs with -certfile cacert.crt to include all certs in that file.

You can use the same utility to inspect the pfx file to see its contents and print a significant amount of diagnostic information.

openssl pkcs12 -in bundle.pfx -info