What's a chain file? Its a sequence of certificates that connect my personal certificate to some self-proclaimed authority.
Given my certificate, how do I find the next certificate up the chain? Dump the certificate and you should see an extension called "Authority Information Access" with the URL of at least one more, and usually just one, upstream certificate. Download and repeat. You may find that the downloaded certificate is a binary blob that you need to convert but that's all.
Finally concatenate those bits into a chain file. Yay. man 1:0 google.
By the way, jeg elsker https://www.ssllabs.com/ssltest/analyze.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # start with your certificate: | |
| cert=my.crt | |
| # we will copy the individual certificates to 001.crt, 002.crt and so on: | |
| counter=0 | |
| # Now, for each certificate: | |
| link="$(printf "%03d.crt" $((++counter)))" # 001.cert, 002.crt, ... | |
| # Check that the certificate is in the human readable PEM format. | |
| # If not it needs to be converted. Then copy into 001/2/3.crt | |
| if openssl x509 -in "$cert" -text -noout &>/dev/null | |
| then cp "$cert" "$link" | |
| else openssl x509 -in "$cert" -inform DER -out "$link" -outform PEM | |
| fi | |
| # Make sure the certificate ends in a new line: | |
| echo >> "$link" | |
| # Get the next certificate up the chain: | |
| cert="$(openssl x509 -in $link -text -noout | sed -nr '/Authority Information Access:/,/^\s*$/p' | sed -nr '/CA Issuers/{s/.*URI://g;p}')" | |
| # Rinse and repeat until you have no more. | |
| # Concatenate the 001.crt 002.crt etc in that order: | |
| cat [0-9][0-9][0-9].crt > my.ca-bundle |
