How to create fullchain.pem from cert.pem?

Hi, I'm using Certify The Web application for wildcard-certificate renewal on dedicated IIS server. It works great.

Now I'm trying to load this certificate to the separate shared hosting, but control panel asks to include a full certificate chain to that wildcard-certificate.

I downloaded cert.pfx from IIS Manager server certificates and made cert.pem using openssl tool:

openssl pkcs12 -chain -in cert.pfx -out cert.pem -nodes

I don't see any options in Certify app for this, so now I guess I have to manually add some certificates. But I don't understand which certificates should I manually add (root, cross-signed or what?) and at what part of the pem certificate?

Thanks in advance

cat cert.pem ca.pem > fullchain.pem

Ok, you are on windows. Make a copy of cert.pem, name it fullchain. Open this copy, and paste ca.pem at the end. Done.

How to get ca.pem? Is it root certificate from https://letsencrypt.org/certificates/?

You should have it already, even if it’s called differently.

Anyway, it’s the intermediate (and maybe then the root).

@Ice2burn open your certificate and tell me how many lines like

===== BEGIN SOMETHING =====

there are

It has one "-----BEGIN PRIVATE KEY-----" line and one "-----BEGIN CERTIFICATE-----" line.

For deployed ssl-certificate this command:

openssl s_client -showcerts -verify 5 -connect wss.fansy-service.ru:443

returns two "-----BEGIN CERTIFICATE-----" lines

this doesn't sound good, strange format

this sounds like a fullchain

this doesn’t sound good, strange format

This is what I get by executing command in the first message. "-nodes" means not to encrypt key.

Should learn how to retrieve ca.pem in the first place.

read this: https://www.openssl.org/docs/man1.0.2/man1/pkcs12.html

I think you should change your openssl command:

openssl pkcs12 -chain -in cert.pfx -out fullchain.pem -nokeys

It returns only single "-----BEGIN CERTIFICATE-----".

Saw an error in console on "s_client " :

depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify error:num=20:unable to get local issuer certificate

Maybe I should install Let's Encypt certificates on server manually.

Install the root. The intermediate should already be there.

Unfortunately, nothing changed

I think you should complain to them shared hosting people. Or give the same certificate in both fields.

Anyway, it’s the intermediate (and maybe then the root).

I manually added intermediate сertificate to the end of the cert.pem and control panel accepted it.

Too bad I can't figure it out how to properly made it with a console. Thanks for the help.

Try with -cacerts -nokeys for the chain. In another pass -nocerts to get the key.

openssl pkcs12 -chain -in cert.pfx -out chain.pem -cacerts -nokeys

As result, the file is empty.
Root and intermediate certs were installed using Certificate Import Wizard.

That doesn't seem right to me. The PKCS12 bundle should contain two certificates.

If you're only seeing one certificate with that command, it means Certify the Web didn't include an intermediate in the bundle. At that point, there's nothing you can really do except fetch it manually.

Edit: I noticed that you downloaded the PFX from IIS. Can you try fetch it from Certify the Web instead?

$ openssl pkcs12 -in bundle.pfx -nokeys
Enter Import Password:
Bag Attributes
    localKeyID: 6B C9 2A A8 49 3F 7C D3 E5 A8 E9 ED 30 DB 87 16 2E 28 FF 52
subject=CN = monkas.xyz

issuer=CN = Fake LE Intermediate X1

-----BEGIN CERTIFICATE-----
MIIFPDCCBCSgAwIBAgITAPpfS5Nv9KPM1j/0jv6IgaWDETANBgkqhkiG9w0BAQsF
ADAiMSAwHgYDVQQDDBdGYWtlIExFIEludGVybWVkaWF0ZSBYMTAeFw0xOTAzMDQy
MTAyNDZaFw0xOTA2MDIyMTAyNDZaMBUxEzARBgNVBAMTCm1vbmthcy54eXowggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6qUuagETgFwgH0MthCtvl1WPe
ne2EBsbTXAc2Ex51uWxZfER1Ov3QnCHJP8VlT9M/4vUgQfV8KWwd42d/nUv2/mv+
hiA53Lrkv73FH+JHGc7i0mSiwH0LEIhVaegZ/BPHG4Mx2EmOmNb5QB7yUyPLiz/j
QhtK9sczYkeWxpDahk7XQxyWvvnbgqtxSIWHDI7rgWL8ceF8M1zes/10lwmOGrlM
vGgOtH1gpzIlUkel0MEJ1zrZvzf2hdKFYQz2NBHJ7x5vmz1tfHsPGhVkWs/lji1i
jN8cU7ceML4d1Xg0YJN/QUsZjcwTJnY8ZR2iKrQMT2RxvUmyJ7WqAaG01943AgMB
AAGjggJ2MIICcjAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEG
CCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFH8uRDLrA8ftNUmUg75+
ND8F+d6lMB8GA1UdIwQYMBaAFMDMA0a5WCDMXHJw8+EuyyCm9Wg6MHcGCCsGAQUF
BwEBBGswaTAyBggrBgEFBQcwAYYmaHR0cDovL29jc3Auc3RnLWludC14MS5sZXRz
ZW5jcnlwdC5vcmcwMwYIKwYBBQUHMAKGJ2h0dHA6Ly9jZXJ0LnN0Zy1pbnQteDEu
bGV0c2VuY3J5cHQub3JnLzAjBgNVHREEHDAaggwqLm1vbmthcy54eXqCCm1vbmth
cy54eXowTAYDVR0gBEUwQzAIBgZngQwBAgEwNwYLKwYBBAGC3xMBAQEwKDAmBggr
BgEFBQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwggEFBgorBgEEAdZ5
AgQCBIH2BIHzAPEAdwCwzIPlpfl9a698CcwoSQSHKsfoixMsY1C3xv0m4WxsdwAA
AWlKuwufAAAEAwBIMEYCIQC++YhMuG5KgJKJStrtkRfxBR+bg3zdSAbLBWxeePjp
7gIhAOp49FQg/ID6Lw0RcEZFaxY+IfcSAHFYzWoVCf5tVDqtAHYA3Zk0/KXnJIDJ
Vmh9gTSZCEmySfe1adjHvKs/XMHzbmQAAAFpSrsNiwAABAMARzBFAiAQL3dOJn+u
oRQZ9XB4sh5qiofbaxK5piLrj7pmVo6RNQIhALskzduq/gL9WRhndq9H/WB9u/rQ
O3eM5QtB08WYObpcMA0GCSqGSIb3DQEBCwUAA4IBAQCkDQ1MJQjZt2y0JIiQ4otE
xPsqNMpiq5K9Ivx4PAKSlcQmmxIR4F+b/e46CbbTW+ZQ0KanALIcpGotCrbFtMKa
uhqITYwPKbD2uI4h4lOMDb2k+QqCMeqq0P7Vl6ewvhiCpUD3OS5zZSL69+o51mDe
GhXClfTwbil2LQCLQgMZjGk0/XyB2v2CJxYnfx7X28XMRJ2e9LBAosyWww2zSdZi
dKRGZcWPk0SEWYFlU2FsZZihbu7dndncr+dCJtGO/vBAGL7jlwhFZEsF2Ah6CLoM
yWqeZZrbXgGDIL+kAaXaIvHplYQ8c7gbmUi8pZFgmI+53KCELWfpRzhk1iJMpXdH
-----END CERTIFICATE-----
Bag Attributes: <No Attributes>
subject=CN = Fake LE Intermediate X1

issuer=CN = Fake LE Root X1

-----BEGIN CERTIFICATE-----
MIIEqzCCApOgAwIBAgIRAIvhKg5ZRO08VGQx8JdhT+UwDQYJKoZIhvcNAQELBQAw
GjEYMBYGA1UEAwwPRmFrZSBMRSBSb290IFgxMB4XDTE2MDUyMzIyMDc1OVoXDTM2
MDUyMzIyMDc1OVowIjEgMB4GA1UEAwwXRmFrZSBMRSBJbnRlcm1lZGlhdGUgWDEw
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDtWKySDn7rWZc5ggjz3ZB0
8jO4xti3uzINfD5sQ7Lj7hzetUT+wQob+iXSZkhnvx+IvdbXF5/yt8aWPpUKnPym
oLxsYiI5gQBLxNDzIec0OIaflWqAr29m7J8+NNtApEN8nZFnf3bhehZW7AxmS1m0
ZnSsdHw0Fw+bgixPg2MQ9k9oefFeqa+7Kqdlz5bbrUYV2volxhDFtnI4Mh8BiWCN
xDH1Hizq+GKCcHsinDZWurCqder/afJBnQs+SBSL6MVApHt+d35zjBD92fO2Je56
dhMfzCgOKXeJ340WhW3TjD1zqLZXeaCyUNRnfOmWZV8nEhtHOFbUCU7r/KkjMZO9
AgMBAAGjgeMwgeAwDgYDVR0PAQH/BAQDAgGGMBIGA1UdEwEB/wQIMAYBAf8CAQAw
HQYDVR0OBBYEFMDMA0a5WCDMXHJw8+EuyyCm9Wg6MHoGCCsGAQUFBwEBBG4wbDA0
BggrBgEFBQcwAYYoaHR0cDovL29jc3Auc3RnLXJvb3QteDEubGV0c2VuY3J5cHQu
b3JnLzA0BggrBgEFBQcwAoYoaHR0cDovL2NlcnQuc3RnLXJvb3QteDEubGV0c2Vu
Y3J5cHQub3JnLzAfBgNVHSMEGDAWgBTBJnSkikSg5vogKNhcI5pFiBh54DANBgkq
hkiG9w0BAQsFAAOCAgEABYSu4Il+fI0MYU42OTmEj+1HqQ5DvyAeyCA6sGuZdwjF
UGeVOv3NnLyfofuUOjEbY5irFCDtnv+0ckukUZN9lz4Q2YjWGUpW4TTu3ieTsaC9
AFvCSgNHJyWSVtWvB5XDxsqawl1KzHzzwr132bF2rtGtazSqVqK9E07sGHMCf+zp
DQVDVVGtqZPHwX3KqUtefE621b8RI6VCl4oD30Olf8pjuzG4JKBFRFclzLRjo/h7
IkkfjZ8wDa7faOjVXx6n+eUQ29cIMCzr8/rNWHS9pYGGQKJiY2xmVC9h12H99Xyf
zWE9vb5zKP3MVG6neX1hSdo7PEAb9fqRhHkqVsqUvJlIRmvXvVKTwNCP3eCjRCCI
PTAvjV+4ni786iXwwFYNz8l3PmPLCyQXWGohnJ8iBm+5nk7O2ynaPVW0U2W+pt2w
SVuvdDM5zGv2f9ltNWUiYZHJ1mmO97jSY/6YfdOUH66iRtQtDkHBRdkNBsMbD+Em
2TgBldtHNSJBfB3pm9FblgOcJ0FSWcUDWJ7vO0+NTXlgrRofRT6pVywzxVo6dND0
WzYlTWeUVsO40xJqhgUQRER9YLOLxJ0O6C8i0xFxAMKOtSdodMB3RIwt7RFQ0uyt
n5Z5MqkYhlMI3J1tPRTp1nEt9fyGspBOO05gi148Qasp+3N+svqKomoQglNoAxU=
-----END CERTIFICATE-----

You can also look at some of the bundled export scripts that come with Certify the Web, which basically do the same thing:

@webprofusion the PFX should contain the intermediate, right? Even if downloaded from IIS Manager?

Yes, the PFX from Certify The Web is a bundle containing the end-entity cert, the intermediates and the private key used for the certificate signing request (in this case that’s different for every cert). You can see the path to the current certificates PFX file under Show Advanced Options> Other Options and just copy that file and work with it directly.

So there is no need to export the certificate (it’s already on disk) and the normal method would be to script the conversion of the pfx to the component parts you need using Shows Advanced Options > Scripting options and a local copy of OpenSSL e.g.: https://docs.certifytheweb.com/docs/script-hooks#example-export-certificate-using-openssl-to-pemcrtkey-etc-for-apache-and-other-services

The upcoming V5 of Certify The Web has a new Deployment Tasks UI feature which allows additional deployment tasks like exports to various formats and presets for popular servers like Apache and nginx as well as SSH/SFTP options for automated deployment to other services as part of the renewal process (optionally, they can also be deferred and run from the command line manually or as a scheduled task).

As an aside, what made you come to this forum for help instead of going to https://community.certifytheweb.com/ ? Just wondering if I need to make something more prominent on the website (depends how you found the app in the first place).

Success, it's located in "C:\ProgramData\Certify\certes\assets\pfx" with empty password and pfx contains intermediate cert as well. Didn't think about it. Thanks

Thanks, didn't pay attention to the advanced options. I thought I can retrieve the cert only with Server Manager where I see it directly after every renewal.

Yeah, it's an advanced level of administration. I'm not there yet

I was thinking it's something trivial, cause problem related to my lack of knowledge about certificates and not to CTW. And 9peppe answered in his second message about intermediate cert and it helped.

Anyway, thank you all for the help, didn't expect so much attention to the problem