PKI certs hierarchy











up vote
0
down vote

favorite
1












I follow https://jamielinux.com/docs/openssl-certificate-authority/index.html and after create root and intermediate ca the chain file dosnt have hierarchy like other ca.



Here's the sample of expected hierarchy:



enter image description here




  • Root ca creation

  • Intermediate CA created and singed by root ca

  • domain cert created and singed by intermediate.


Create https://jamielinux.com/docs/openssl-certificate-authority/create-the-intermediate-pair.html#create-the-certificate-chain-file



But after import ca-chain.cert.pem via firefox that contain intermediate and root (exactly this order) . Just import the intermediate.



enter image description here



enter image description here



After importing in browser website work well but there is no root ca in hierarchy. just intermediate then website certification.



Even after import root ca the cert doesn't hierarchy as i expected.
What i missed?



Root ca:



Certificate:
Data:
Version: 3 (0x2)
Serial Number:
f1:61:fb:1e:9e:12:3d:1a
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = IR, ST = Tehran, L = Tehran, O = SampleOrg, OU = Infrastructure Unit, CN = SampleOrg Root Certificate Authority, emailAddress = iu@sample.tld.com
Validity
Not Before: Jan 1 00:00:00 2018 GMT
Not After : Jan 1 00:00:00 2058 GMT
Subject: C = IR, ST = Tehran, L = Tehran, O = SampleOrg, OU = Infrastructure Unit, CN = SampleOrg Root Certificate Authority, emailAddress = iu@sample.tld.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:dc:20:86:ef:e7:01:fe:a8:6f:72:c1:b0:19:f3:
54:4c:36:f8:c9:c3:e9:82:58:e1:40:d0:dc:94:40:
7e:81:44:bc:83:a2:60:b0:60:b5:07:db:8a:23:ba:
21:d6:b6:9e:72:fd:03:86:6c:87:92:2c:f0:f9:4c:
64:e3:42:50:e4:93:ce:49:55:ce:c6:ce:cd:36:af:
2f:d2:f8:61:21:92:2e:67:0a:57:13:7f:e5:d6:a0:
42:1e:61:46:f2:c5:f3:0d:05:19:09:93:b5:7d:6b:
23:d1:a4:ae:9d:e4:22:9e:17:f5:b8:38:11:f6:f7:
29:6c:a1:7e:b5:68:34:9d:31:b8:cb:bd:b8:fb:9a:
25:f6:96:8b:6b:21:22:38:f0:a6:b4:5a:3a:00:94:
f4:de:2c:15:98:b1:82:8b:fa:f2:0e:e8:8e:2e:69:
86:0f:f6:f4:82:8d:b5:6f:00:8b:cc:3c:29:b8:2d:
fa:03:c2:7f:46:c5:0b:9f:4e:ee:f5:82:d5:b2:9f:
29:3b:43:b8:0b:90:05:f6:53:68:be:f2:d2:91:f9:
ec:5a:3f:83:d0:0f:49:6a:7f:d9:a3:72:d0:8f:74:
a6:4b:c8:31:bd:ac:45:6b:51:c4:46:0d:aa:31:3d:
03:bb:fc:7f:50:c6:ec:57:72:84:40:a8:4f:1d:14:
b6:4d:30:6c:2f:b1:69:7a:9b:1f:8f:f9:af:a3:00:
df:96:df:df:e6:b9:6d:5e:bc:1e:40:e7:ee:fe:18:
aa:bb:19:e5:26:9f:79:01:76:06:26:6b:43:cb:15:
41:aa:01:19:d9:11:19:7b:df:99:8c:68:8d:4b:a9:
76:3b:32:ff:68:4d:5c:0e:5d:c7:5f:ed:1a:20:f4:
68:29:0b:21:ac:79:05:9a:57:0a:54:d7:7d:06:83:
f9:b5:79:09:65:fa:c2:83:6d:b6:77:3e:e0:b2:ac:
15:b4:88:22:95:64:70:27:88:50:2b:e4:2e:6f:df:
f1:3c:fa:21:70:c2:bf:54:18:3e:2a:6f:2f:28:0f:
d3:83:61:6c:b5:9d:5e:4f:f8:8a:3b:75:ef:e9:97:
58:98:2f:31:39:cd:dd:18:ff:fc:ce:d0:83:72:23:
4f:e1:66:a4:0b:2a:5d:44:79:e4:7b:6a:67:d5:c5:
6a:a7:c9:ff:7e:1c:1b:20:e9:18:ee:69:cd:5b:cb:
f1:c3:cd:9e:62:38:f3:b0:f3:70:f8:0e:2f:c9:7b:
27:6e:5b:e4:78:b8:a2:b4:5a:26:ff:9f:bd:c6:b1:
2d:5b:a4:b3:49:17:24:68:02:be:b9:7e:c3:d5:37:
ca:c3:b4:bd:1b:28:fd:70:45:4f:9e:7e:1b:2a:14:
3d:cf:f9
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
4B:E6:00:6C:EB:DF:D8:4E:AB:EB:86:48:A2:8D:BB:18:09:C4:B4:6F
X509v3 Authority Key Identifier:
keyid:4B:E6:00:6C:EB:DF:D8:4E:AB:EB:86:48:A2:8D:BB:18:09:C4:B4:6F

X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Issuer Alternative Name:
<EMPTY>

X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
Signature Algorithm: sha256WithRSAEncryption
8a:33:b3:59:6d:30:11:d1:df:71:fa:ed:90:02:13:40:84:e0:
54:3e:88:ce:12:07:c9:29:ce:44:69:c0:e8:d4:90:e3:48:5c:
0c:6d:4f:c4:d6:af:a3:c5:86:ff:d1:93:8f:9b:b3:5e:8f:37:
fa:9c:93:cd:a8:0d:71:28:91:fa:06:17:70:a4:be:7a:30:b1:
76:c3:33:f2:4b:a7:b8:ec:a7:f9:76:e9:08:cb:b3:1b:cd:a5:
5f:c6:1a:85:7c:76:d4:67:da:d4:80:6d:be:80:4b:5c:f6:d0:
f8:f5:47:12:73:92:35:86:f2:76:4f:82:2c:e9:ec:1b:bf:5b:
cb:fa:31:65:41:ad:6f:e6:71:76:76:46:e7:51:b2:d0:fe:77:
76:2f:49:9d:c2:79:7a:94:9b:a8:42:4e:91:bb:72:60:c6:91:
e9:e6:cf:59:17:20:75:14:90:42:7c:c9:5d:27:10:b9:81:c0:
a5:43:3d:0a:e0:c6:ba:7e:e9:9a:98:02:a6:bf:5d:55:2b:31:
b9:0a:91:d7:f0:28:07:0b:80:e2:1c:0e:5f:c8:f8:88:17:3d:
8b:b0:b3:df:09:e3:0d:4b:1c:ed:d9:d1:8a:9a:d8:d8:b0:e6:
bf:9f:1e:14:86:45:47:5a:c5:e3:90:06:b7:0a:72:60:0d:0d:
2c:bd:ce:19:57:02:09:e0:d8:6e:ed:9a:7e:d6:8d:18:42:fc:
32:54:88:c1:87:98:0b:7e:ca:dd:9a:3e:d8:5b:00:91:28:ea:
2b:35:ad:36:6c:9d:e0:cc:41:cd:e9:31:75:ec:2c:e5:5e:24:
59:cd:f6:cb:14:42:e1:b6:30:84:6e:f2:13:8a:9e:32:0e:34:
1a:4f:5d:a7:19:67:64:84:29:5f:ec:7e:18:1a:7f:0c:65:6a:
04:8a:fa:a2:2b:76:ff:1f:c4:0a:5f:1b:df:4e:6b:60:58:ae:
37:d8:b8:3b:09:fa:34:8e:6a:e2:1c:a5:c6:a5:2c:a1:22:09:
03:91:b5:16:d6:d5:60:0b:a9:c2:8d:f4:6f:2c:1e:43:60:9d:
a3:8b:5c:34:ef:89:e5:93:ba:93:f8:92:96:fb:d2:f4:4b:68:
ca:0a:8c:58:d4:e2:cd:8e:e4:d7:90:1c:79:6f:c7:c2:61:ae:
e7:52:07:70:e2:d9:b4:59:b2:73:c4:eb:f0:39:09:3f:b3:69:
c7:2e:29:28:f5:a3:cd:fb:fd:2c:6b:b6:ad:de:f4:86:c4:e7:
20:e2:fc:37:40:95:b2:11:27:48:3c:3e:1c:f9:bd:fe:d2:56:
4d:a4:21:9c:85:eb:95:f1:bb:82:72:10:1c:d5:ff:eb:78:eb:
c7:5c:5f:fd:ec:0c:07:66


Intermediate CA:



Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4096 (0x1000)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = IR, ST = Tehran, L = Tehran, O = SampleOrg, OU = Infrastructure Unit, CN = SampleOrg Root Certificate Authority, emailAddress = iu@sample.tld.com
Validity
Not Before: Jan 1 00:00:00 2018 GMT
Not After : Jan 1 00:00:00 2048 GMT
Subject: C = IR, ST = Tehran, O = SampleOrg, OU = Infrastructure Unit, CN = SampleOrg Intermediate Certificate Authority, emailAddress = iu@sample.tld.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:ad:d4:fd:41:15:a9:9e:ee:ef:09:3f:3f:54:55:
b4:bc:eb:15:d7:e8:3f:3d:5c:6a:f1:6e:83:33:da:
98:d5:e8:f8:ee:a3:62:a0:5a:bd:e0:a6:b3:c3:a1:
2c:7f:80:32:e5:f7:a9:0d:e0:33:2f:16:03:bd:59:
f4:47:6c:2b:6a:c3:d1:bf:a8:98:d6:1a:25:48:45:
94:cc:f4:3b:00:fa:3a:62:5f:1d:2e:e6:e3:cc:f8:
4e:78:8e:0d:93:ca:46:d9:b8:fa:45:f6:0d:8a:9d:
47:47:fe:10:1f:54:69:8c:eb:5d:71:d5:69:dc:0f:
12:9f:7b:a1:3e:e4:79:77:0b:f1:f3:33:9f:a8:75:
5c:3c:1f:38:96:c9:6f:8e:f4:b7:33:d8:51:c7:43:
42:1f:8f:7f:99:8e:d7:16:e0:cd:c8:c5:71:ac:4e:
07:c5:59:88:c6:97:55:a8:1c:ef:c8:43:30:25:7d:
8d:00:65:ab:bc:6f:d4:54:48:3b:6f:d6:e6:6f:ee:
da:3a:93:73:c3:9c:79:27:3a:fe:01:8f:67:24:91:
d1:92:1b:76:90:df:68:2b:8f:74:06:bd:f3:e3:96:
31:90:23:31:49:e9:76:51:ee:8f:3e:85:78:3c:99:
e4:84:4d:1a:61:86:8f:22:d2:b6:90:96:f4:ca:52:
c5:c7:3c:c9:cc:bd:3f:6b:56:df:df:21:0d:b3:09:
05:12:b5:37:ee:61:26:a6:0d:21:d7:52:f9:49:0d:
17:8c:44:ab:72:82:0c:db:05:33:77:67:70:bb:94:
4c:db:07:97:58:77:f2:28:95:6e:97:d2:f3:6f:fa:
b9:58:23:e1:39:81:b0:c5:1c:df:7f:45:5c:b1:8f:
89:bd:b8:51:0d:6a:a5:db:9d:8f:97:05:2d:fa:3b:
15:04:67:b4:b4:b2:fd:fb:69:b9:d3:73:0c:56:79:
e2:67:7a:0d:f8:6d:60:04:48:99:c4:7e:6a:8c:b0:
73:d1:70:a7:7d:0b:c5:6d:40:72:fb:58:fd:b4:46:
8c:a0:40:87:1c:23:75:1a:8a:4b:40:3b:f3:38:50:
18:3d:99:d3:2d:81:87:dc:27:22:39:36:fd:59:b9:
03:63:1c:76:ff:a8:0b:7b:8f:de:ff:6d:59:18:3e:
e5:a9:0f:b8:2f:fd:52:5a:7a:e4:d4:03:4b:25:9a:
50:e5:1b:80:ce:ab:4a:04:0e:5f:a8:31:01:38:ea:
7f:1e:b5:0a:a5:65:f9:b0:c4:24:55:89:6e:8d:9e:
3a:cf:e9:9a:f5:8c:e1:1b:ee:29:2b:3b:16:51:d8:
77:fe:95:f9:15:d3:a9:61:30:bc:94:0a:7d:98:87:
d2:82:6d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
A7:6C:F7:40:34:DD:ED:0E:25:46:5D:16:65:4D:8F:ED:29:E8:5E:A7
X509v3 Authority Key Identifier:
keyid:4B:E6:00:6C:EB:DF:D8:4E:AB:EB:86:48:A2:8D:BB:18:09:C4:B4:6F

X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
Signature Algorithm: sha256WithRSAEncryption
d6:e5:f9:73:b4:50:98:ab:e9:6d:44:ef:4c:32:c4:88:bc:40:
3d:1c:80:a2:04:09:da:e0:3d:9d:e2:c5:2b:1d:64:7b:84:81:
4a:30:57:5a:c0:49:48:77:0b:c0:15:3e:cd:52:a9:d7:33:29:
eb:95:ce:b1:a2:9b:7c:9d:ac:53:3d:a7:2c:b0:f1:a5:d2:81:
c2:23:ea:bb:cd:e4:3f:e3:18:b4:70:6d:7d:23:1c:82:cc:01:
67:f9:2e:a9:8a:9e:94:ac:aa:ef:a3:9c:66:13:e7:b9:11:2f:
e5:52:c2:fe:92:f6:85:3f:3d:35:ad:57:15:d9:b8:19:b8:43:
73:62:f0:5a:55:d6:f3:18:7c:9f:79:fc:11:b8:ac:f6:a7:14:
e0:93:b1:9a:a8:42:1a:32:a8:36:43:87:b4:0d:76:2f:a5:ca:
66:4b:c4:cf:58:ec:c2:75:1b:32:58:8c:be:cc:b8:4a:0c:bd:
75:17:3d:b9:21:0b:e8:57:ea:84:92:e2:f8:d2:35:11:23:62:
4d:64:d0:3b:db:d5:1c:14:03:a7:ff:d9:0a:64:eb:36:2d:79:
6b:13:9f:d4:8d:08:01:86:83:10:a4:24:88:ea:6a:b4:75:07:
ab:54:87:2a:b6:87:23:d9:b0:00:d4:ba:6a:1d:db:ab:49:f2:
59:40:1f:6e:32:13:15:a7:40:3d:6a:22:24:12:4e:47:42:37:
9c:27:f5:d2:93:3f:40:77:f8:c5:db:9b:f0:92:15:51:74:0d:
5b:3c:f5:8b:a1:9c:39:f9:8b:41:3a:7b:57:00:31:d6:ca:e1:
5f:ef:54:7d:69:ba:2f:ce:52:6f:77:f6:b6:2c:c8:d8:d5:bc:
c9:99:d1:5a:5e:0f:b7:a4:24:09:58:07:af:bf:bc:1b:42:7b:
9c:31:22:5a:b8:bb:24:24:af:5b:5e:f5:a3:48:b1:bb:5c:ed:
86:87:70:af:10:6c:4e:34:d1:3e:2d:03:a8:4a:bf:67:1c:c6:
61:18:b1:82:75:5b:a0:b2:2f:1e:8d:f8:6a:bd:47:53:94:b2:
2c:93:74:c4:d6:d0:28:42:cf:4b:2f:61:81:86:42:53:ce:2f:
6b:e2:8e:aa:bf:9e:d1:9d:6a:2a:d3:83:0b:c0:df:fc:19:f3:
58:a0:ed:14:65:0f:87:9d:53:0b:d0:8d:fe:bb:97:8c:97:84:
f8:d4:c0:2c:99:44:99:83:3f:6d:d4:e9:c5:b0:8d:b9:df:d7:
5c:d3:fd:b9:90:36:1f:83:ba:53:dd:d0:8a:c6:a1:85:85:39:
af:6b:9b:da:c3:1c:27:f3:3d:94:af:65:12:07:98:f5:5d:de:
1a:d3:32:15:7a:d7:f7:63


Chain CA:



Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4096 (0x1000)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = IR, ST = Tehran, L = Tehran, O = SampleOrg, OU = Infrastructure Unit, CN = SampleOrg Root Certificate Authority, emailAddress = iu@sample.tld.com
Validity
Not Before: Jan 1 00:00:00 2018 GMT
Not After : Jan 1 00:00:00 2048 GMT
Subject: C = IR, ST = Tehran, O = SampleOrg, OU = Infrastructure Unit, CN = SampleOrg Intermediate Certificate Authority, emailAddress = iu@sample.tld.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:ad:d4:fd:41:15:a9:9e:ee:ef:09:3f:3f:54:55:
b4:bc:eb:15:d7:e8:3f:3d:5c:6a:f1:6e:83:33:da:
98:d5:e8:f8:ee:a3:62:a0:5a:bd:e0:a6:b3:c3:a1:
2c:7f:80:32:e5:f7:a9:0d:e0:33:2f:16:03:bd:59:
f4:47:6c:2b:6a:c3:d1:bf:a8:98:d6:1a:25:48:45:
94:cc:f4:3b:00:fa:3a:62:5f:1d:2e:e6:e3:cc:f8:
4e:78:8e:0d:93:ca:46:d9:b8:fa:45:f6:0d:8a:9d:
47:47:fe:10:1f:54:69:8c:eb:5d:71:d5:69:dc:0f:
12:9f:7b:a1:3e:e4:79:77:0b:f1:f3:33:9f:a8:75:
5c:3c:1f:38:96:c9:6f:8e:f4:b7:33:d8:51:c7:43:
42:1f:8f:7f:99:8e:d7:16:e0:cd:c8:c5:71:ac:4e:
07:c5:59:88:c6:97:55:a8:1c:ef:c8:43:30:25:7d:
8d:00:65:ab:bc:6f:d4:54:48:3b:6f:d6:e6:6f:ee:
da:3a:93:73:c3:9c:79:27:3a:fe:01:8f:67:24:91:
d1:92:1b:76:90:df:68:2b:8f:74:06:bd:f3:e3:96:
31:90:23:31:49:e9:76:51:ee:8f:3e:85:78:3c:99:
e4:84:4d:1a:61:86:8f:22:d2:b6:90:96:f4:ca:52:
c5:c7:3c:c9:cc:bd:3f:6b:56:df:df:21:0d:b3:09:
05:12:b5:37:ee:61:26:a6:0d:21:d7:52:f9:49:0d:
17:8c:44:ab:72:82:0c:db:05:33:77:67:70:bb:94:
4c:db:07:97:58:77:f2:28:95:6e:97:d2:f3:6f:fa:
b9:58:23:e1:39:81:b0:c5:1c:df:7f:45:5c:b1:8f:
89:bd:b8:51:0d:6a:a5:db:9d:8f:97:05:2d:fa:3b:
15:04:67:b4:b4:b2:fd:fb:69:b9:d3:73:0c:56:79:
e2:67:7a:0d:f8:6d:60:04:48:99:c4:7e:6a:8c:b0:
73:d1:70:a7:7d:0b:c5:6d:40:72:fb:58:fd:b4:46:
8c:a0:40:87:1c:23:75:1a:8a:4b:40:3b:f3:38:50:
18:3d:99:d3:2d:81:87:dc:27:22:39:36:fd:59:b9:
03:63:1c:76:ff:a8:0b:7b:8f:de:ff:6d:59:18:3e:
e5:a9:0f:b8:2f:fd:52:5a:7a:e4:d4:03:4b:25:9a:
50:e5:1b:80:ce:ab:4a:04:0e:5f:a8:31:01:38:ea:
7f:1e:b5:0a:a5:65:f9:b0:c4:24:55:89:6e:8d:9e:
3a:cf:e9:9a:f5:8c:e1:1b:ee:29:2b:3b:16:51:d8:
77:fe:95:f9:15:d3:a9:61:30:bc:94:0a:7d:98:87:
d2:82:6d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
A7:6C:F7:40:34:DD:ED:0E:25:46:5D:16:65:4D:8F:ED:29:E8:5E:A7
X509v3 Authority Key Identifier:
keyid:4B:E6:00:6C:EB:DF:D8:4E:AB:EB:86:48:A2:8D:BB:18:09:C4:B4:6F

X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
Signature Algorithm: sha256WithRSAEncryption
d6:e5:f9:73:b4:50:98:ab:e9:6d:44:ef:4c:32:c4:88:bc:40:
3d:1c:80:a2:04:09:da:e0:3d:9d:e2:c5:2b:1d:64:7b:84:81:
4a:30:57:5a:c0:49:48:77:0b:c0:15:3e:cd:52:a9:d7:33:29:
eb:95:ce:b1:a2:9b:7c:9d:ac:53:3d:a7:2c:b0:f1:a5:d2:81:
c2:23:ea:bb:cd:e4:3f:e3:18:b4:70:6d:7d:23:1c:82:cc:01:
67:f9:2e:a9:8a:9e:94:ac:aa:ef:a3:9c:66:13:e7:b9:11:2f:
e5:52:c2:fe:92:f6:85:3f:3d:35:ad:57:15:d9:b8:19:b8:43:
73:62:f0:5a:55:d6:f3:18:7c:9f:79:fc:11:b8:ac:f6:a7:14:
e0:93:b1:9a:a8:42:1a:32:a8:36:43:87:b4:0d:76:2f:a5:ca:
66:4b:c4:cf:58:ec:c2:75:1b:32:58:8c:be:cc:b8:4a:0c:bd:
75:17:3d:b9:21:0b:e8:57:ea:84:92:e2:f8:d2:35:11:23:62:
4d:64:d0:3b:db:d5:1c:14:03:a7:ff:d9:0a:64:eb:36:2d:79:
6b:13:9f:d4:8d:08:01:86:83:10:a4:24:88:ea:6a:b4:75:07:
ab:54:87:2a:b6:87:23:d9:b0:00:d4:ba:6a:1d:db:ab:49:f2:
59:40:1f:6e:32:13:15:a7:40:3d:6a:22:24:12:4e:47:42:37:
9c:27:f5:d2:93:3f:40:77:f8:c5:db:9b:f0:92:15:51:74:0d:
5b:3c:f5:8b:a1:9c:39:f9:8b:41:3a:7b:57:00:31:d6:ca:e1:
5f:ef:54:7d:69:ba:2f:ce:52:6f:77:f6:b6:2c:c8:d8:d5:bc:
c9:99:d1:5a:5e:0f:b7:a4:24:09:58:07:af:bf:bc:1b:42:7b:
9c:31:22:5a:b8:bb:24:24:af:5b:5e:f5:a3:48:b1:bb:5c:ed:
86:87:70:af:10:6c:4e:34:d1:3e:2d:03:a8:4a:bf:67:1c:c6:
61:18:b1:82:75:5b:a0:b2:2f:1e:8d:f8:6a:bd:47:53:94:b2:
2c:93:74:c4:d6:d0:28:42:cf:4b:2f:61:81:86:42:53:ce:2f:
6b:e2:8e:aa:bf:9e:d1:9d:6a:2a:d3:83:0b:c0:df:fc:19:f3:
58:a0:ed:14:65:0f:87:9d:53:0b:d0:8d:fe:bb:97:8c:97:84:
f8:d4:c0:2c:99:44:99:83:3f:6d:d4:e9:c5:b0:8d:b9:df:d7:
5c:d3:fd:b9:90:36:1f:83:ba:53:dd:d0:8a:c6:a1:85:85:39:
af:6b:9b:da:c3:1c:27:f3:3d:94:af:65:12:07:98:f5:5d:de:
1a:d3:32:15:7a:d7:f7:63









share|improve this question




















  • 1




    openssl x509 -noout -text -in <certificate file> will give you a better view of your certificates than an image. Copy/paste the output for all of your certificates into your question.
    – garethTheRed
    Nov 14 at 19:17










  • @garethTheRed added.
    – sweb
    Nov 14 at 19:54






  • 2




    You only add the Root CA certificate to Firefox (or any other browser and/or Operating System). All other certificates are added to the bundle end-entity first, followed by the CA that signed it, followed by the CA that signed that, all the way to the last Intermediate CA. There's no need to add the Root CA here as that's installed in Firefox (or similar). This bundle is then installed in your web-server.
    – garethTheRed
    Nov 14 at 21:14

















up vote
0
down vote

favorite
1












I follow https://jamielinux.com/docs/openssl-certificate-authority/index.html and after create root and intermediate ca the chain file dosnt have hierarchy like other ca.



Here's the sample of expected hierarchy:



enter image description here




  • Root ca creation

  • Intermediate CA created and singed by root ca

  • domain cert created and singed by intermediate.


Create https://jamielinux.com/docs/openssl-certificate-authority/create-the-intermediate-pair.html#create-the-certificate-chain-file



But after import ca-chain.cert.pem via firefox that contain intermediate and root (exactly this order) . Just import the intermediate.



enter image description here



enter image description here



After importing in browser website work well but there is no root ca in hierarchy. just intermediate then website certification.



Even after import root ca the cert doesn't hierarchy as i expected.
What i missed?



Root ca:



Certificate:
Data:
Version: 3 (0x2)
Serial Number:
f1:61:fb:1e:9e:12:3d:1a
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = IR, ST = Tehran, L = Tehran, O = SampleOrg, OU = Infrastructure Unit, CN = SampleOrg Root Certificate Authority, emailAddress = iu@sample.tld.com
Validity
Not Before: Jan 1 00:00:00 2018 GMT
Not After : Jan 1 00:00:00 2058 GMT
Subject: C = IR, ST = Tehran, L = Tehran, O = SampleOrg, OU = Infrastructure Unit, CN = SampleOrg Root Certificate Authority, emailAddress = iu@sample.tld.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:dc:20:86:ef:e7:01:fe:a8:6f:72:c1:b0:19:f3:
54:4c:36:f8:c9:c3:e9:82:58:e1:40:d0:dc:94:40:
7e:81:44:bc:83:a2:60:b0:60:b5:07:db:8a:23:ba:
21:d6:b6:9e:72:fd:03:86:6c:87:92:2c:f0:f9:4c:
64:e3:42:50:e4:93:ce:49:55:ce:c6:ce:cd:36:af:
2f:d2:f8:61:21:92:2e:67:0a:57:13:7f:e5:d6:a0:
42:1e:61:46:f2:c5:f3:0d:05:19:09:93:b5:7d:6b:
23:d1:a4:ae:9d:e4:22:9e:17:f5:b8:38:11:f6:f7:
29:6c:a1:7e:b5:68:34:9d:31:b8:cb:bd:b8:fb:9a:
25:f6:96:8b:6b:21:22:38:f0:a6:b4:5a:3a:00:94:
f4:de:2c:15:98:b1:82:8b:fa:f2:0e:e8:8e:2e:69:
86:0f:f6:f4:82:8d:b5:6f:00:8b:cc:3c:29:b8:2d:
fa:03:c2:7f:46:c5:0b:9f:4e:ee:f5:82:d5:b2:9f:
29:3b:43:b8:0b:90:05:f6:53:68:be:f2:d2:91:f9:
ec:5a:3f:83:d0:0f:49:6a:7f:d9:a3:72:d0:8f:74:
a6:4b:c8:31:bd:ac:45:6b:51:c4:46:0d:aa:31:3d:
03:bb:fc:7f:50:c6:ec:57:72:84:40:a8:4f:1d:14:
b6:4d:30:6c:2f:b1:69:7a:9b:1f:8f:f9:af:a3:00:
df:96:df:df:e6:b9:6d:5e:bc:1e:40:e7:ee:fe:18:
aa:bb:19:e5:26:9f:79:01:76:06:26:6b:43:cb:15:
41:aa:01:19:d9:11:19:7b:df:99:8c:68:8d:4b:a9:
76:3b:32:ff:68:4d:5c:0e:5d:c7:5f:ed:1a:20:f4:
68:29:0b:21:ac:79:05:9a:57:0a:54:d7:7d:06:83:
f9:b5:79:09:65:fa:c2:83:6d:b6:77:3e:e0:b2:ac:
15:b4:88:22:95:64:70:27:88:50:2b:e4:2e:6f:df:
f1:3c:fa:21:70:c2:bf:54:18:3e:2a:6f:2f:28:0f:
d3:83:61:6c:b5:9d:5e:4f:f8:8a:3b:75:ef:e9:97:
58:98:2f:31:39:cd:dd:18:ff:fc:ce:d0:83:72:23:
4f:e1:66:a4:0b:2a:5d:44:79:e4:7b:6a:67:d5:c5:
6a:a7:c9:ff:7e:1c:1b:20:e9:18:ee:69:cd:5b:cb:
f1:c3:cd:9e:62:38:f3:b0:f3:70:f8:0e:2f:c9:7b:
27:6e:5b:e4:78:b8:a2:b4:5a:26:ff:9f:bd:c6:b1:
2d:5b:a4:b3:49:17:24:68:02:be:b9:7e:c3:d5:37:
ca:c3:b4:bd:1b:28:fd:70:45:4f:9e:7e:1b:2a:14:
3d:cf:f9
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
4B:E6:00:6C:EB:DF:D8:4E:AB:EB:86:48:A2:8D:BB:18:09:C4:B4:6F
X509v3 Authority Key Identifier:
keyid:4B:E6:00:6C:EB:DF:D8:4E:AB:EB:86:48:A2:8D:BB:18:09:C4:B4:6F

X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Issuer Alternative Name:
<EMPTY>

X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
Signature Algorithm: sha256WithRSAEncryption
8a:33:b3:59:6d:30:11:d1:df:71:fa:ed:90:02:13:40:84:e0:
54:3e:88:ce:12:07:c9:29:ce:44:69:c0:e8:d4:90:e3:48:5c:
0c:6d:4f:c4:d6:af:a3:c5:86:ff:d1:93:8f:9b:b3:5e:8f:37:
fa:9c:93:cd:a8:0d:71:28:91:fa:06:17:70:a4:be:7a:30:b1:
76:c3:33:f2:4b:a7:b8:ec:a7:f9:76:e9:08:cb:b3:1b:cd:a5:
5f:c6:1a:85:7c:76:d4:67:da:d4:80:6d:be:80:4b:5c:f6:d0:
f8:f5:47:12:73:92:35:86:f2:76:4f:82:2c:e9:ec:1b:bf:5b:
cb:fa:31:65:41:ad:6f:e6:71:76:76:46:e7:51:b2:d0:fe:77:
76:2f:49:9d:c2:79:7a:94:9b:a8:42:4e:91:bb:72:60:c6:91:
e9:e6:cf:59:17:20:75:14:90:42:7c:c9:5d:27:10:b9:81:c0:
a5:43:3d:0a:e0:c6:ba:7e:e9:9a:98:02:a6:bf:5d:55:2b:31:
b9:0a:91:d7:f0:28:07:0b:80:e2:1c:0e:5f:c8:f8:88:17:3d:
8b:b0:b3:df:09:e3:0d:4b:1c:ed:d9:d1:8a:9a:d8:d8:b0:e6:
bf:9f:1e:14:86:45:47:5a:c5:e3:90:06:b7:0a:72:60:0d:0d:
2c:bd:ce:19:57:02:09:e0:d8:6e:ed:9a:7e:d6:8d:18:42:fc:
32:54:88:c1:87:98:0b:7e:ca:dd:9a:3e:d8:5b:00:91:28:ea:
2b:35:ad:36:6c:9d:e0:cc:41:cd:e9:31:75:ec:2c:e5:5e:24:
59:cd:f6:cb:14:42:e1:b6:30:84:6e:f2:13:8a:9e:32:0e:34:
1a:4f:5d:a7:19:67:64:84:29:5f:ec:7e:18:1a:7f:0c:65:6a:
04:8a:fa:a2:2b:76:ff:1f:c4:0a:5f:1b:df:4e:6b:60:58:ae:
37:d8:b8:3b:09:fa:34:8e:6a:e2:1c:a5:c6:a5:2c:a1:22:09:
03:91:b5:16:d6:d5:60:0b:a9:c2:8d:f4:6f:2c:1e:43:60:9d:
a3:8b:5c:34:ef:89:e5:93:ba:93:f8:92:96:fb:d2:f4:4b:68:
ca:0a:8c:58:d4:e2:cd:8e:e4:d7:90:1c:79:6f:c7:c2:61:ae:
e7:52:07:70:e2:d9:b4:59:b2:73:c4:eb:f0:39:09:3f:b3:69:
c7:2e:29:28:f5:a3:cd:fb:fd:2c:6b:b6:ad:de:f4:86:c4:e7:
20:e2:fc:37:40:95:b2:11:27:48:3c:3e:1c:f9:bd:fe:d2:56:
4d:a4:21:9c:85:eb:95:f1:bb:82:72:10:1c:d5:ff:eb:78:eb:
c7:5c:5f:fd:ec:0c:07:66


Intermediate CA:



Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4096 (0x1000)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = IR, ST = Tehran, L = Tehran, O = SampleOrg, OU = Infrastructure Unit, CN = SampleOrg Root Certificate Authority, emailAddress = iu@sample.tld.com
Validity
Not Before: Jan 1 00:00:00 2018 GMT
Not After : Jan 1 00:00:00 2048 GMT
Subject: C = IR, ST = Tehran, O = SampleOrg, OU = Infrastructure Unit, CN = SampleOrg Intermediate Certificate Authority, emailAddress = iu@sample.tld.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:ad:d4:fd:41:15:a9:9e:ee:ef:09:3f:3f:54:55:
b4:bc:eb:15:d7:e8:3f:3d:5c:6a:f1:6e:83:33:da:
98:d5:e8:f8:ee:a3:62:a0:5a:bd:e0:a6:b3:c3:a1:
2c:7f:80:32:e5:f7:a9:0d:e0:33:2f:16:03:bd:59:
f4:47:6c:2b:6a:c3:d1:bf:a8:98:d6:1a:25:48:45:
94:cc:f4:3b:00:fa:3a:62:5f:1d:2e:e6:e3:cc:f8:
4e:78:8e:0d:93:ca:46:d9:b8:fa:45:f6:0d:8a:9d:
47:47:fe:10:1f:54:69:8c:eb:5d:71:d5:69:dc:0f:
12:9f:7b:a1:3e:e4:79:77:0b:f1:f3:33:9f:a8:75:
5c:3c:1f:38:96:c9:6f:8e:f4:b7:33:d8:51:c7:43:
42:1f:8f:7f:99:8e:d7:16:e0:cd:c8:c5:71:ac:4e:
07:c5:59:88:c6:97:55:a8:1c:ef:c8:43:30:25:7d:
8d:00:65:ab:bc:6f:d4:54:48:3b:6f:d6:e6:6f:ee:
da:3a:93:73:c3:9c:79:27:3a:fe:01:8f:67:24:91:
d1:92:1b:76:90:df:68:2b:8f:74:06:bd:f3:e3:96:
31:90:23:31:49:e9:76:51:ee:8f:3e:85:78:3c:99:
e4:84:4d:1a:61:86:8f:22:d2:b6:90:96:f4:ca:52:
c5:c7:3c:c9:cc:bd:3f:6b:56:df:df:21:0d:b3:09:
05:12:b5:37:ee:61:26:a6:0d:21:d7:52:f9:49:0d:
17:8c:44:ab:72:82:0c:db:05:33:77:67:70:bb:94:
4c:db:07:97:58:77:f2:28:95:6e:97:d2:f3:6f:fa:
b9:58:23:e1:39:81:b0:c5:1c:df:7f:45:5c:b1:8f:
89:bd:b8:51:0d:6a:a5:db:9d:8f:97:05:2d:fa:3b:
15:04:67:b4:b4:b2:fd:fb:69:b9:d3:73:0c:56:79:
e2:67:7a:0d:f8:6d:60:04:48:99:c4:7e:6a:8c:b0:
73:d1:70:a7:7d:0b:c5:6d:40:72:fb:58:fd:b4:46:
8c:a0:40:87:1c:23:75:1a:8a:4b:40:3b:f3:38:50:
18:3d:99:d3:2d:81:87:dc:27:22:39:36:fd:59:b9:
03:63:1c:76:ff:a8:0b:7b:8f:de:ff:6d:59:18:3e:
e5:a9:0f:b8:2f:fd:52:5a:7a:e4:d4:03:4b:25:9a:
50:e5:1b:80:ce:ab:4a:04:0e:5f:a8:31:01:38:ea:
7f:1e:b5:0a:a5:65:f9:b0:c4:24:55:89:6e:8d:9e:
3a:cf:e9:9a:f5:8c:e1:1b:ee:29:2b:3b:16:51:d8:
77:fe:95:f9:15:d3:a9:61:30:bc:94:0a:7d:98:87:
d2:82:6d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
A7:6C:F7:40:34:DD:ED:0E:25:46:5D:16:65:4D:8F:ED:29:E8:5E:A7
X509v3 Authority Key Identifier:
keyid:4B:E6:00:6C:EB:DF:D8:4E:AB:EB:86:48:A2:8D:BB:18:09:C4:B4:6F

X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
Signature Algorithm: sha256WithRSAEncryption
d6:e5:f9:73:b4:50:98:ab:e9:6d:44:ef:4c:32:c4:88:bc:40:
3d:1c:80:a2:04:09:da:e0:3d:9d:e2:c5:2b:1d:64:7b:84:81:
4a:30:57:5a:c0:49:48:77:0b:c0:15:3e:cd:52:a9:d7:33:29:
eb:95:ce:b1:a2:9b:7c:9d:ac:53:3d:a7:2c:b0:f1:a5:d2:81:
c2:23:ea:bb:cd:e4:3f:e3:18:b4:70:6d:7d:23:1c:82:cc:01:
67:f9:2e:a9:8a:9e:94:ac:aa:ef:a3:9c:66:13:e7:b9:11:2f:
e5:52:c2:fe:92:f6:85:3f:3d:35:ad:57:15:d9:b8:19:b8:43:
73:62:f0:5a:55:d6:f3:18:7c:9f:79:fc:11:b8:ac:f6:a7:14:
e0:93:b1:9a:a8:42:1a:32:a8:36:43:87:b4:0d:76:2f:a5:ca:
66:4b:c4:cf:58:ec:c2:75:1b:32:58:8c:be:cc:b8:4a:0c:bd:
75:17:3d:b9:21:0b:e8:57:ea:84:92:e2:f8:d2:35:11:23:62:
4d:64:d0:3b:db:d5:1c:14:03:a7:ff:d9:0a:64:eb:36:2d:79:
6b:13:9f:d4:8d:08:01:86:83:10:a4:24:88:ea:6a:b4:75:07:
ab:54:87:2a:b6:87:23:d9:b0:00:d4:ba:6a:1d:db:ab:49:f2:
59:40:1f:6e:32:13:15:a7:40:3d:6a:22:24:12:4e:47:42:37:
9c:27:f5:d2:93:3f:40:77:f8:c5:db:9b:f0:92:15:51:74:0d:
5b:3c:f5:8b:a1:9c:39:f9:8b:41:3a:7b:57:00:31:d6:ca:e1:
5f:ef:54:7d:69:ba:2f:ce:52:6f:77:f6:b6:2c:c8:d8:d5:bc:
c9:99:d1:5a:5e:0f:b7:a4:24:09:58:07:af:bf:bc:1b:42:7b:
9c:31:22:5a:b8:bb:24:24:af:5b:5e:f5:a3:48:b1:bb:5c:ed:
86:87:70:af:10:6c:4e:34:d1:3e:2d:03:a8:4a:bf:67:1c:c6:
61:18:b1:82:75:5b:a0:b2:2f:1e:8d:f8:6a:bd:47:53:94:b2:
2c:93:74:c4:d6:d0:28:42:cf:4b:2f:61:81:86:42:53:ce:2f:
6b:e2:8e:aa:bf:9e:d1:9d:6a:2a:d3:83:0b:c0:df:fc:19:f3:
58:a0:ed:14:65:0f:87:9d:53:0b:d0:8d:fe:bb:97:8c:97:84:
f8:d4:c0:2c:99:44:99:83:3f:6d:d4:e9:c5:b0:8d:b9:df:d7:
5c:d3:fd:b9:90:36:1f:83:ba:53:dd:d0:8a:c6:a1:85:85:39:
af:6b:9b:da:c3:1c:27:f3:3d:94:af:65:12:07:98:f5:5d:de:
1a:d3:32:15:7a:d7:f7:63


Chain CA:



Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4096 (0x1000)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = IR, ST = Tehran, L = Tehran, O = SampleOrg, OU = Infrastructure Unit, CN = SampleOrg Root Certificate Authority, emailAddress = iu@sample.tld.com
Validity
Not Before: Jan 1 00:00:00 2018 GMT
Not After : Jan 1 00:00:00 2048 GMT
Subject: C = IR, ST = Tehran, O = SampleOrg, OU = Infrastructure Unit, CN = SampleOrg Intermediate Certificate Authority, emailAddress = iu@sample.tld.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:ad:d4:fd:41:15:a9:9e:ee:ef:09:3f:3f:54:55:
b4:bc:eb:15:d7:e8:3f:3d:5c:6a:f1:6e:83:33:da:
98:d5:e8:f8:ee:a3:62:a0:5a:bd:e0:a6:b3:c3:a1:
2c:7f:80:32:e5:f7:a9:0d:e0:33:2f:16:03:bd:59:
f4:47:6c:2b:6a:c3:d1:bf:a8:98:d6:1a:25:48:45:
94:cc:f4:3b:00:fa:3a:62:5f:1d:2e:e6:e3:cc:f8:
4e:78:8e:0d:93:ca:46:d9:b8:fa:45:f6:0d:8a:9d:
47:47:fe:10:1f:54:69:8c:eb:5d:71:d5:69:dc:0f:
12:9f:7b:a1:3e:e4:79:77:0b:f1:f3:33:9f:a8:75:
5c:3c:1f:38:96:c9:6f:8e:f4:b7:33:d8:51:c7:43:
42:1f:8f:7f:99:8e:d7:16:e0:cd:c8:c5:71:ac:4e:
07:c5:59:88:c6:97:55:a8:1c:ef:c8:43:30:25:7d:
8d:00:65:ab:bc:6f:d4:54:48:3b:6f:d6:e6:6f:ee:
da:3a:93:73:c3:9c:79:27:3a:fe:01:8f:67:24:91:
d1:92:1b:76:90:df:68:2b:8f:74:06:bd:f3:e3:96:
31:90:23:31:49:e9:76:51:ee:8f:3e:85:78:3c:99:
e4:84:4d:1a:61:86:8f:22:d2:b6:90:96:f4:ca:52:
c5:c7:3c:c9:cc:bd:3f:6b:56:df:df:21:0d:b3:09:
05:12:b5:37:ee:61:26:a6:0d:21:d7:52:f9:49:0d:
17:8c:44:ab:72:82:0c:db:05:33:77:67:70:bb:94:
4c:db:07:97:58:77:f2:28:95:6e:97:d2:f3:6f:fa:
b9:58:23:e1:39:81:b0:c5:1c:df:7f:45:5c:b1:8f:
89:bd:b8:51:0d:6a:a5:db:9d:8f:97:05:2d:fa:3b:
15:04:67:b4:b4:b2:fd:fb:69:b9:d3:73:0c:56:79:
e2:67:7a:0d:f8:6d:60:04:48:99:c4:7e:6a:8c:b0:
73:d1:70:a7:7d:0b:c5:6d:40:72:fb:58:fd:b4:46:
8c:a0:40:87:1c:23:75:1a:8a:4b:40:3b:f3:38:50:
18:3d:99:d3:2d:81:87:dc:27:22:39:36:fd:59:b9:
03:63:1c:76:ff:a8:0b:7b:8f:de:ff:6d:59:18:3e:
e5:a9:0f:b8:2f:fd:52:5a:7a:e4:d4:03:4b:25:9a:
50:e5:1b:80:ce:ab:4a:04:0e:5f:a8:31:01:38:ea:
7f:1e:b5:0a:a5:65:f9:b0:c4:24:55:89:6e:8d:9e:
3a:cf:e9:9a:f5:8c:e1:1b:ee:29:2b:3b:16:51:d8:
77:fe:95:f9:15:d3:a9:61:30:bc:94:0a:7d:98:87:
d2:82:6d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
A7:6C:F7:40:34:DD:ED:0E:25:46:5D:16:65:4D:8F:ED:29:E8:5E:A7
X509v3 Authority Key Identifier:
keyid:4B:E6:00:6C:EB:DF:D8:4E:AB:EB:86:48:A2:8D:BB:18:09:C4:B4:6F

X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
Signature Algorithm: sha256WithRSAEncryption
d6:e5:f9:73:b4:50:98:ab:e9:6d:44:ef:4c:32:c4:88:bc:40:
3d:1c:80:a2:04:09:da:e0:3d:9d:e2:c5:2b:1d:64:7b:84:81:
4a:30:57:5a:c0:49:48:77:0b:c0:15:3e:cd:52:a9:d7:33:29:
eb:95:ce:b1:a2:9b:7c:9d:ac:53:3d:a7:2c:b0:f1:a5:d2:81:
c2:23:ea:bb:cd:e4:3f:e3:18:b4:70:6d:7d:23:1c:82:cc:01:
67:f9:2e:a9:8a:9e:94:ac:aa:ef:a3:9c:66:13:e7:b9:11:2f:
e5:52:c2:fe:92:f6:85:3f:3d:35:ad:57:15:d9:b8:19:b8:43:
73:62:f0:5a:55:d6:f3:18:7c:9f:79:fc:11:b8:ac:f6:a7:14:
e0:93:b1:9a:a8:42:1a:32:a8:36:43:87:b4:0d:76:2f:a5:ca:
66:4b:c4:cf:58:ec:c2:75:1b:32:58:8c:be:cc:b8:4a:0c:bd:
75:17:3d:b9:21:0b:e8:57:ea:84:92:e2:f8:d2:35:11:23:62:
4d:64:d0:3b:db:d5:1c:14:03:a7:ff:d9:0a:64:eb:36:2d:79:
6b:13:9f:d4:8d:08:01:86:83:10:a4:24:88:ea:6a:b4:75:07:
ab:54:87:2a:b6:87:23:d9:b0:00:d4:ba:6a:1d:db:ab:49:f2:
59:40:1f:6e:32:13:15:a7:40:3d:6a:22:24:12:4e:47:42:37:
9c:27:f5:d2:93:3f:40:77:f8:c5:db:9b:f0:92:15:51:74:0d:
5b:3c:f5:8b:a1:9c:39:f9:8b:41:3a:7b:57:00:31:d6:ca:e1:
5f:ef:54:7d:69:ba:2f:ce:52:6f:77:f6:b6:2c:c8:d8:d5:bc:
c9:99:d1:5a:5e:0f:b7:a4:24:09:58:07:af:bf:bc:1b:42:7b:
9c:31:22:5a:b8:bb:24:24:af:5b:5e:f5:a3:48:b1:bb:5c:ed:
86:87:70:af:10:6c:4e:34:d1:3e:2d:03:a8:4a:bf:67:1c:c6:
61:18:b1:82:75:5b:a0:b2:2f:1e:8d:f8:6a:bd:47:53:94:b2:
2c:93:74:c4:d6:d0:28:42:cf:4b:2f:61:81:86:42:53:ce:2f:
6b:e2:8e:aa:bf:9e:d1:9d:6a:2a:d3:83:0b:c0:df:fc:19:f3:
58:a0:ed:14:65:0f:87:9d:53:0b:d0:8d:fe:bb:97:8c:97:84:
f8:d4:c0:2c:99:44:99:83:3f:6d:d4:e9:c5:b0:8d:b9:df:d7:
5c:d3:fd:b9:90:36:1f:83:ba:53:dd:d0:8a:c6:a1:85:85:39:
af:6b:9b:da:c3:1c:27:f3:3d:94:af:65:12:07:98:f5:5d:de:
1a:d3:32:15:7a:d7:f7:63









share|improve this question




















  • 1




    openssl x509 -noout -text -in <certificate file> will give you a better view of your certificates than an image. Copy/paste the output for all of your certificates into your question.
    – garethTheRed
    Nov 14 at 19:17










  • @garethTheRed added.
    – sweb
    Nov 14 at 19:54






  • 2




    You only add the Root CA certificate to Firefox (or any other browser and/or Operating System). All other certificates are added to the bundle end-entity first, followed by the CA that signed it, followed by the CA that signed that, all the way to the last Intermediate CA. There's no need to add the Root CA here as that's installed in Firefox (or similar). This bundle is then installed in your web-server.
    – garethTheRed
    Nov 14 at 21:14















up vote
0
down vote

favorite
1









up vote
0
down vote

favorite
1






1





I follow https://jamielinux.com/docs/openssl-certificate-authority/index.html and after create root and intermediate ca the chain file dosnt have hierarchy like other ca.



Here's the sample of expected hierarchy:



enter image description here




  • Root ca creation

  • Intermediate CA created and singed by root ca

  • domain cert created and singed by intermediate.


Create https://jamielinux.com/docs/openssl-certificate-authority/create-the-intermediate-pair.html#create-the-certificate-chain-file



But after import ca-chain.cert.pem via firefox that contain intermediate and root (exactly this order) . Just import the intermediate.



enter image description here



enter image description here



After importing in browser website work well but there is no root ca in hierarchy. just intermediate then website certification.



Even after import root ca the cert doesn't hierarchy as i expected.
What i missed?



Root ca:



Certificate:
Data:
Version: 3 (0x2)
Serial Number:
f1:61:fb:1e:9e:12:3d:1a
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = IR, ST = Tehran, L = Tehran, O = SampleOrg, OU = Infrastructure Unit, CN = SampleOrg Root Certificate Authority, emailAddress = iu@sample.tld.com
Validity
Not Before: Jan 1 00:00:00 2018 GMT
Not After : Jan 1 00:00:00 2058 GMT
Subject: C = IR, ST = Tehran, L = Tehran, O = SampleOrg, OU = Infrastructure Unit, CN = SampleOrg Root Certificate Authority, emailAddress = iu@sample.tld.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:dc:20:86:ef:e7:01:fe:a8:6f:72:c1:b0:19:f3:
54:4c:36:f8:c9:c3:e9:82:58:e1:40:d0:dc:94:40:
7e:81:44:bc:83:a2:60:b0:60:b5:07:db:8a:23:ba:
21:d6:b6:9e:72:fd:03:86:6c:87:92:2c:f0:f9:4c:
64:e3:42:50:e4:93:ce:49:55:ce:c6:ce:cd:36:af:
2f:d2:f8:61:21:92:2e:67:0a:57:13:7f:e5:d6:a0:
42:1e:61:46:f2:c5:f3:0d:05:19:09:93:b5:7d:6b:
23:d1:a4:ae:9d:e4:22:9e:17:f5:b8:38:11:f6:f7:
29:6c:a1:7e:b5:68:34:9d:31:b8:cb:bd:b8:fb:9a:
25:f6:96:8b:6b:21:22:38:f0:a6:b4:5a:3a:00:94:
f4:de:2c:15:98:b1:82:8b:fa:f2:0e:e8:8e:2e:69:
86:0f:f6:f4:82:8d:b5:6f:00:8b:cc:3c:29:b8:2d:
fa:03:c2:7f:46:c5:0b:9f:4e:ee:f5:82:d5:b2:9f:
29:3b:43:b8:0b:90:05:f6:53:68:be:f2:d2:91:f9:
ec:5a:3f:83:d0:0f:49:6a:7f:d9:a3:72:d0:8f:74:
a6:4b:c8:31:bd:ac:45:6b:51:c4:46:0d:aa:31:3d:
03:bb:fc:7f:50:c6:ec:57:72:84:40:a8:4f:1d:14:
b6:4d:30:6c:2f:b1:69:7a:9b:1f:8f:f9:af:a3:00:
df:96:df:df:e6:b9:6d:5e:bc:1e:40:e7:ee:fe:18:
aa:bb:19:e5:26:9f:79:01:76:06:26:6b:43:cb:15:
41:aa:01:19:d9:11:19:7b:df:99:8c:68:8d:4b:a9:
76:3b:32:ff:68:4d:5c:0e:5d:c7:5f:ed:1a:20:f4:
68:29:0b:21:ac:79:05:9a:57:0a:54:d7:7d:06:83:
f9:b5:79:09:65:fa:c2:83:6d:b6:77:3e:e0:b2:ac:
15:b4:88:22:95:64:70:27:88:50:2b:e4:2e:6f:df:
f1:3c:fa:21:70:c2:bf:54:18:3e:2a:6f:2f:28:0f:
d3:83:61:6c:b5:9d:5e:4f:f8:8a:3b:75:ef:e9:97:
58:98:2f:31:39:cd:dd:18:ff:fc:ce:d0:83:72:23:
4f:e1:66:a4:0b:2a:5d:44:79:e4:7b:6a:67:d5:c5:
6a:a7:c9:ff:7e:1c:1b:20:e9:18:ee:69:cd:5b:cb:
f1:c3:cd:9e:62:38:f3:b0:f3:70:f8:0e:2f:c9:7b:
27:6e:5b:e4:78:b8:a2:b4:5a:26:ff:9f:bd:c6:b1:
2d:5b:a4:b3:49:17:24:68:02:be:b9:7e:c3:d5:37:
ca:c3:b4:bd:1b:28:fd:70:45:4f:9e:7e:1b:2a:14:
3d:cf:f9
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
4B:E6:00:6C:EB:DF:D8:4E:AB:EB:86:48:A2:8D:BB:18:09:C4:B4:6F
X509v3 Authority Key Identifier:
keyid:4B:E6:00:6C:EB:DF:D8:4E:AB:EB:86:48:A2:8D:BB:18:09:C4:B4:6F

X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Issuer Alternative Name:
<EMPTY>

X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
Signature Algorithm: sha256WithRSAEncryption
8a:33:b3:59:6d:30:11:d1:df:71:fa:ed:90:02:13:40:84:e0:
54:3e:88:ce:12:07:c9:29:ce:44:69:c0:e8:d4:90:e3:48:5c:
0c:6d:4f:c4:d6:af:a3:c5:86:ff:d1:93:8f:9b:b3:5e:8f:37:
fa:9c:93:cd:a8:0d:71:28:91:fa:06:17:70:a4:be:7a:30:b1:
76:c3:33:f2:4b:a7:b8:ec:a7:f9:76:e9:08:cb:b3:1b:cd:a5:
5f:c6:1a:85:7c:76:d4:67:da:d4:80:6d:be:80:4b:5c:f6:d0:
f8:f5:47:12:73:92:35:86:f2:76:4f:82:2c:e9:ec:1b:bf:5b:
cb:fa:31:65:41:ad:6f:e6:71:76:76:46:e7:51:b2:d0:fe:77:
76:2f:49:9d:c2:79:7a:94:9b:a8:42:4e:91:bb:72:60:c6:91:
e9:e6:cf:59:17:20:75:14:90:42:7c:c9:5d:27:10:b9:81:c0:
a5:43:3d:0a:e0:c6:ba:7e:e9:9a:98:02:a6:bf:5d:55:2b:31:
b9:0a:91:d7:f0:28:07:0b:80:e2:1c:0e:5f:c8:f8:88:17:3d:
8b:b0:b3:df:09:e3:0d:4b:1c:ed:d9:d1:8a:9a:d8:d8:b0:e6:
bf:9f:1e:14:86:45:47:5a:c5:e3:90:06:b7:0a:72:60:0d:0d:
2c:bd:ce:19:57:02:09:e0:d8:6e:ed:9a:7e:d6:8d:18:42:fc:
32:54:88:c1:87:98:0b:7e:ca:dd:9a:3e:d8:5b:00:91:28:ea:
2b:35:ad:36:6c:9d:e0:cc:41:cd:e9:31:75:ec:2c:e5:5e:24:
59:cd:f6:cb:14:42:e1:b6:30:84:6e:f2:13:8a:9e:32:0e:34:
1a:4f:5d:a7:19:67:64:84:29:5f:ec:7e:18:1a:7f:0c:65:6a:
04:8a:fa:a2:2b:76:ff:1f:c4:0a:5f:1b:df:4e:6b:60:58:ae:
37:d8:b8:3b:09:fa:34:8e:6a:e2:1c:a5:c6:a5:2c:a1:22:09:
03:91:b5:16:d6:d5:60:0b:a9:c2:8d:f4:6f:2c:1e:43:60:9d:
a3:8b:5c:34:ef:89:e5:93:ba:93:f8:92:96:fb:d2:f4:4b:68:
ca:0a:8c:58:d4:e2:cd:8e:e4:d7:90:1c:79:6f:c7:c2:61:ae:
e7:52:07:70:e2:d9:b4:59:b2:73:c4:eb:f0:39:09:3f:b3:69:
c7:2e:29:28:f5:a3:cd:fb:fd:2c:6b:b6:ad:de:f4:86:c4:e7:
20:e2:fc:37:40:95:b2:11:27:48:3c:3e:1c:f9:bd:fe:d2:56:
4d:a4:21:9c:85:eb:95:f1:bb:82:72:10:1c:d5:ff:eb:78:eb:
c7:5c:5f:fd:ec:0c:07:66


Intermediate CA:



Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4096 (0x1000)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = IR, ST = Tehran, L = Tehran, O = SampleOrg, OU = Infrastructure Unit, CN = SampleOrg Root Certificate Authority, emailAddress = iu@sample.tld.com
Validity
Not Before: Jan 1 00:00:00 2018 GMT
Not After : Jan 1 00:00:00 2048 GMT
Subject: C = IR, ST = Tehran, O = SampleOrg, OU = Infrastructure Unit, CN = SampleOrg Intermediate Certificate Authority, emailAddress = iu@sample.tld.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:ad:d4:fd:41:15:a9:9e:ee:ef:09:3f:3f:54:55:
b4:bc:eb:15:d7:e8:3f:3d:5c:6a:f1:6e:83:33:da:
98:d5:e8:f8:ee:a3:62:a0:5a:bd:e0:a6:b3:c3:a1:
2c:7f:80:32:e5:f7:a9:0d:e0:33:2f:16:03:bd:59:
f4:47:6c:2b:6a:c3:d1:bf:a8:98:d6:1a:25:48:45:
94:cc:f4:3b:00:fa:3a:62:5f:1d:2e:e6:e3:cc:f8:
4e:78:8e:0d:93:ca:46:d9:b8:fa:45:f6:0d:8a:9d:
47:47:fe:10:1f:54:69:8c:eb:5d:71:d5:69:dc:0f:
12:9f:7b:a1:3e:e4:79:77:0b:f1:f3:33:9f:a8:75:
5c:3c:1f:38:96:c9:6f:8e:f4:b7:33:d8:51:c7:43:
42:1f:8f:7f:99:8e:d7:16:e0:cd:c8:c5:71:ac:4e:
07:c5:59:88:c6:97:55:a8:1c:ef:c8:43:30:25:7d:
8d:00:65:ab:bc:6f:d4:54:48:3b:6f:d6:e6:6f:ee:
da:3a:93:73:c3:9c:79:27:3a:fe:01:8f:67:24:91:
d1:92:1b:76:90:df:68:2b:8f:74:06:bd:f3:e3:96:
31:90:23:31:49:e9:76:51:ee:8f:3e:85:78:3c:99:
e4:84:4d:1a:61:86:8f:22:d2:b6:90:96:f4:ca:52:
c5:c7:3c:c9:cc:bd:3f:6b:56:df:df:21:0d:b3:09:
05:12:b5:37:ee:61:26:a6:0d:21:d7:52:f9:49:0d:
17:8c:44:ab:72:82:0c:db:05:33:77:67:70:bb:94:
4c:db:07:97:58:77:f2:28:95:6e:97:d2:f3:6f:fa:
b9:58:23:e1:39:81:b0:c5:1c:df:7f:45:5c:b1:8f:
89:bd:b8:51:0d:6a:a5:db:9d:8f:97:05:2d:fa:3b:
15:04:67:b4:b4:b2:fd:fb:69:b9:d3:73:0c:56:79:
e2:67:7a:0d:f8:6d:60:04:48:99:c4:7e:6a:8c:b0:
73:d1:70:a7:7d:0b:c5:6d:40:72:fb:58:fd:b4:46:
8c:a0:40:87:1c:23:75:1a:8a:4b:40:3b:f3:38:50:
18:3d:99:d3:2d:81:87:dc:27:22:39:36:fd:59:b9:
03:63:1c:76:ff:a8:0b:7b:8f:de:ff:6d:59:18:3e:
e5:a9:0f:b8:2f:fd:52:5a:7a:e4:d4:03:4b:25:9a:
50:e5:1b:80:ce:ab:4a:04:0e:5f:a8:31:01:38:ea:
7f:1e:b5:0a:a5:65:f9:b0:c4:24:55:89:6e:8d:9e:
3a:cf:e9:9a:f5:8c:e1:1b:ee:29:2b:3b:16:51:d8:
77:fe:95:f9:15:d3:a9:61:30:bc:94:0a:7d:98:87:
d2:82:6d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
A7:6C:F7:40:34:DD:ED:0E:25:46:5D:16:65:4D:8F:ED:29:E8:5E:A7
X509v3 Authority Key Identifier:
keyid:4B:E6:00:6C:EB:DF:D8:4E:AB:EB:86:48:A2:8D:BB:18:09:C4:B4:6F

X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
Signature Algorithm: sha256WithRSAEncryption
d6:e5:f9:73:b4:50:98:ab:e9:6d:44:ef:4c:32:c4:88:bc:40:
3d:1c:80:a2:04:09:da:e0:3d:9d:e2:c5:2b:1d:64:7b:84:81:
4a:30:57:5a:c0:49:48:77:0b:c0:15:3e:cd:52:a9:d7:33:29:
eb:95:ce:b1:a2:9b:7c:9d:ac:53:3d:a7:2c:b0:f1:a5:d2:81:
c2:23:ea:bb:cd:e4:3f:e3:18:b4:70:6d:7d:23:1c:82:cc:01:
67:f9:2e:a9:8a:9e:94:ac:aa:ef:a3:9c:66:13:e7:b9:11:2f:
e5:52:c2:fe:92:f6:85:3f:3d:35:ad:57:15:d9:b8:19:b8:43:
73:62:f0:5a:55:d6:f3:18:7c:9f:79:fc:11:b8:ac:f6:a7:14:
e0:93:b1:9a:a8:42:1a:32:a8:36:43:87:b4:0d:76:2f:a5:ca:
66:4b:c4:cf:58:ec:c2:75:1b:32:58:8c:be:cc:b8:4a:0c:bd:
75:17:3d:b9:21:0b:e8:57:ea:84:92:e2:f8:d2:35:11:23:62:
4d:64:d0:3b:db:d5:1c:14:03:a7:ff:d9:0a:64:eb:36:2d:79:
6b:13:9f:d4:8d:08:01:86:83:10:a4:24:88:ea:6a:b4:75:07:
ab:54:87:2a:b6:87:23:d9:b0:00:d4:ba:6a:1d:db:ab:49:f2:
59:40:1f:6e:32:13:15:a7:40:3d:6a:22:24:12:4e:47:42:37:
9c:27:f5:d2:93:3f:40:77:f8:c5:db:9b:f0:92:15:51:74:0d:
5b:3c:f5:8b:a1:9c:39:f9:8b:41:3a:7b:57:00:31:d6:ca:e1:
5f:ef:54:7d:69:ba:2f:ce:52:6f:77:f6:b6:2c:c8:d8:d5:bc:
c9:99:d1:5a:5e:0f:b7:a4:24:09:58:07:af:bf:bc:1b:42:7b:
9c:31:22:5a:b8:bb:24:24:af:5b:5e:f5:a3:48:b1:bb:5c:ed:
86:87:70:af:10:6c:4e:34:d1:3e:2d:03:a8:4a:bf:67:1c:c6:
61:18:b1:82:75:5b:a0:b2:2f:1e:8d:f8:6a:bd:47:53:94:b2:
2c:93:74:c4:d6:d0:28:42:cf:4b:2f:61:81:86:42:53:ce:2f:
6b:e2:8e:aa:bf:9e:d1:9d:6a:2a:d3:83:0b:c0:df:fc:19:f3:
58:a0:ed:14:65:0f:87:9d:53:0b:d0:8d:fe:bb:97:8c:97:84:
f8:d4:c0:2c:99:44:99:83:3f:6d:d4:e9:c5:b0:8d:b9:df:d7:
5c:d3:fd:b9:90:36:1f:83:ba:53:dd:d0:8a:c6:a1:85:85:39:
af:6b:9b:da:c3:1c:27:f3:3d:94:af:65:12:07:98:f5:5d:de:
1a:d3:32:15:7a:d7:f7:63


Chain CA:



Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4096 (0x1000)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = IR, ST = Tehran, L = Tehran, O = SampleOrg, OU = Infrastructure Unit, CN = SampleOrg Root Certificate Authority, emailAddress = iu@sample.tld.com
Validity
Not Before: Jan 1 00:00:00 2018 GMT
Not After : Jan 1 00:00:00 2048 GMT
Subject: C = IR, ST = Tehran, O = SampleOrg, OU = Infrastructure Unit, CN = SampleOrg Intermediate Certificate Authority, emailAddress = iu@sample.tld.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:ad:d4:fd:41:15:a9:9e:ee:ef:09:3f:3f:54:55:
b4:bc:eb:15:d7:e8:3f:3d:5c:6a:f1:6e:83:33:da:
98:d5:e8:f8:ee:a3:62:a0:5a:bd:e0:a6:b3:c3:a1:
2c:7f:80:32:e5:f7:a9:0d:e0:33:2f:16:03:bd:59:
f4:47:6c:2b:6a:c3:d1:bf:a8:98:d6:1a:25:48:45:
94:cc:f4:3b:00:fa:3a:62:5f:1d:2e:e6:e3:cc:f8:
4e:78:8e:0d:93:ca:46:d9:b8:fa:45:f6:0d:8a:9d:
47:47:fe:10:1f:54:69:8c:eb:5d:71:d5:69:dc:0f:
12:9f:7b:a1:3e:e4:79:77:0b:f1:f3:33:9f:a8:75:
5c:3c:1f:38:96:c9:6f:8e:f4:b7:33:d8:51:c7:43:
42:1f:8f:7f:99:8e:d7:16:e0:cd:c8:c5:71:ac:4e:
07:c5:59:88:c6:97:55:a8:1c:ef:c8:43:30:25:7d:
8d:00:65:ab:bc:6f:d4:54:48:3b:6f:d6:e6:6f:ee:
da:3a:93:73:c3:9c:79:27:3a:fe:01:8f:67:24:91:
d1:92:1b:76:90:df:68:2b:8f:74:06:bd:f3:e3:96:
31:90:23:31:49:e9:76:51:ee:8f:3e:85:78:3c:99:
e4:84:4d:1a:61:86:8f:22:d2:b6:90:96:f4:ca:52:
c5:c7:3c:c9:cc:bd:3f:6b:56:df:df:21:0d:b3:09:
05:12:b5:37:ee:61:26:a6:0d:21:d7:52:f9:49:0d:
17:8c:44:ab:72:82:0c:db:05:33:77:67:70:bb:94:
4c:db:07:97:58:77:f2:28:95:6e:97:d2:f3:6f:fa:
b9:58:23:e1:39:81:b0:c5:1c:df:7f:45:5c:b1:8f:
89:bd:b8:51:0d:6a:a5:db:9d:8f:97:05:2d:fa:3b:
15:04:67:b4:b4:b2:fd:fb:69:b9:d3:73:0c:56:79:
e2:67:7a:0d:f8:6d:60:04:48:99:c4:7e:6a:8c:b0:
73:d1:70:a7:7d:0b:c5:6d:40:72:fb:58:fd:b4:46:
8c:a0:40:87:1c:23:75:1a:8a:4b:40:3b:f3:38:50:
18:3d:99:d3:2d:81:87:dc:27:22:39:36:fd:59:b9:
03:63:1c:76:ff:a8:0b:7b:8f:de:ff:6d:59:18:3e:
e5:a9:0f:b8:2f:fd:52:5a:7a:e4:d4:03:4b:25:9a:
50:e5:1b:80:ce:ab:4a:04:0e:5f:a8:31:01:38:ea:
7f:1e:b5:0a:a5:65:f9:b0:c4:24:55:89:6e:8d:9e:
3a:cf:e9:9a:f5:8c:e1:1b:ee:29:2b:3b:16:51:d8:
77:fe:95:f9:15:d3:a9:61:30:bc:94:0a:7d:98:87:
d2:82:6d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
A7:6C:F7:40:34:DD:ED:0E:25:46:5D:16:65:4D:8F:ED:29:E8:5E:A7
X509v3 Authority Key Identifier:
keyid:4B:E6:00:6C:EB:DF:D8:4E:AB:EB:86:48:A2:8D:BB:18:09:C4:B4:6F

X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
Signature Algorithm: sha256WithRSAEncryption
d6:e5:f9:73:b4:50:98:ab:e9:6d:44:ef:4c:32:c4:88:bc:40:
3d:1c:80:a2:04:09:da:e0:3d:9d:e2:c5:2b:1d:64:7b:84:81:
4a:30:57:5a:c0:49:48:77:0b:c0:15:3e:cd:52:a9:d7:33:29:
eb:95:ce:b1:a2:9b:7c:9d:ac:53:3d:a7:2c:b0:f1:a5:d2:81:
c2:23:ea:bb:cd:e4:3f:e3:18:b4:70:6d:7d:23:1c:82:cc:01:
67:f9:2e:a9:8a:9e:94:ac:aa:ef:a3:9c:66:13:e7:b9:11:2f:
e5:52:c2:fe:92:f6:85:3f:3d:35:ad:57:15:d9:b8:19:b8:43:
73:62:f0:5a:55:d6:f3:18:7c:9f:79:fc:11:b8:ac:f6:a7:14:
e0:93:b1:9a:a8:42:1a:32:a8:36:43:87:b4:0d:76:2f:a5:ca:
66:4b:c4:cf:58:ec:c2:75:1b:32:58:8c:be:cc:b8:4a:0c:bd:
75:17:3d:b9:21:0b:e8:57:ea:84:92:e2:f8:d2:35:11:23:62:
4d:64:d0:3b:db:d5:1c:14:03:a7:ff:d9:0a:64:eb:36:2d:79:
6b:13:9f:d4:8d:08:01:86:83:10:a4:24:88:ea:6a:b4:75:07:
ab:54:87:2a:b6:87:23:d9:b0:00:d4:ba:6a:1d:db:ab:49:f2:
59:40:1f:6e:32:13:15:a7:40:3d:6a:22:24:12:4e:47:42:37:
9c:27:f5:d2:93:3f:40:77:f8:c5:db:9b:f0:92:15:51:74:0d:
5b:3c:f5:8b:a1:9c:39:f9:8b:41:3a:7b:57:00:31:d6:ca:e1:
5f:ef:54:7d:69:ba:2f:ce:52:6f:77:f6:b6:2c:c8:d8:d5:bc:
c9:99:d1:5a:5e:0f:b7:a4:24:09:58:07:af:bf:bc:1b:42:7b:
9c:31:22:5a:b8:bb:24:24:af:5b:5e:f5:a3:48:b1:bb:5c:ed:
86:87:70:af:10:6c:4e:34:d1:3e:2d:03:a8:4a:bf:67:1c:c6:
61:18:b1:82:75:5b:a0:b2:2f:1e:8d:f8:6a:bd:47:53:94:b2:
2c:93:74:c4:d6:d0:28:42:cf:4b:2f:61:81:86:42:53:ce:2f:
6b:e2:8e:aa:bf:9e:d1:9d:6a:2a:d3:83:0b:c0:df:fc:19:f3:
58:a0:ed:14:65:0f:87:9d:53:0b:d0:8d:fe:bb:97:8c:97:84:
f8:d4:c0:2c:99:44:99:83:3f:6d:d4:e9:c5:b0:8d:b9:df:d7:
5c:d3:fd:b9:90:36:1f:83:ba:53:dd:d0:8a:c6:a1:85:85:39:
af:6b:9b:da:c3:1c:27:f3:3d:94:af:65:12:07:98:f5:5d:de:
1a:d3:32:15:7a:d7:f7:63









share|improve this question















I follow https://jamielinux.com/docs/openssl-certificate-authority/index.html and after create root and intermediate ca the chain file dosnt have hierarchy like other ca.



Here's the sample of expected hierarchy:



enter image description here




  • Root ca creation

  • Intermediate CA created and singed by root ca

  • domain cert created and singed by intermediate.


Create https://jamielinux.com/docs/openssl-certificate-authority/create-the-intermediate-pair.html#create-the-certificate-chain-file



But after import ca-chain.cert.pem via firefox that contain intermediate and root (exactly this order) . Just import the intermediate.



enter image description here



enter image description here



After importing in browser website work well but there is no root ca in hierarchy. just intermediate then website certification.



Even after import root ca the cert doesn't hierarchy as i expected.
What i missed?



Root ca:



Certificate:
Data:
Version: 3 (0x2)
Serial Number:
f1:61:fb:1e:9e:12:3d:1a
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = IR, ST = Tehran, L = Tehran, O = SampleOrg, OU = Infrastructure Unit, CN = SampleOrg Root Certificate Authority, emailAddress = iu@sample.tld.com
Validity
Not Before: Jan 1 00:00:00 2018 GMT
Not After : Jan 1 00:00:00 2058 GMT
Subject: C = IR, ST = Tehran, L = Tehran, O = SampleOrg, OU = Infrastructure Unit, CN = SampleOrg Root Certificate Authority, emailAddress = iu@sample.tld.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:dc:20:86:ef:e7:01:fe:a8:6f:72:c1:b0:19:f3:
54:4c:36:f8:c9:c3:e9:82:58:e1:40:d0:dc:94:40:
7e:81:44:bc:83:a2:60:b0:60:b5:07:db:8a:23:ba:
21:d6:b6:9e:72:fd:03:86:6c:87:92:2c:f0:f9:4c:
64:e3:42:50:e4:93:ce:49:55:ce:c6:ce:cd:36:af:
2f:d2:f8:61:21:92:2e:67:0a:57:13:7f:e5:d6:a0:
42:1e:61:46:f2:c5:f3:0d:05:19:09:93:b5:7d:6b:
23:d1:a4:ae:9d:e4:22:9e:17:f5:b8:38:11:f6:f7:
29:6c:a1:7e:b5:68:34:9d:31:b8:cb:bd:b8:fb:9a:
25:f6:96:8b:6b:21:22:38:f0:a6:b4:5a:3a:00:94:
f4:de:2c:15:98:b1:82:8b:fa:f2:0e:e8:8e:2e:69:
86:0f:f6:f4:82:8d:b5:6f:00:8b:cc:3c:29:b8:2d:
fa:03:c2:7f:46:c5:0b:9f:4e:ee:f5:82:d5:b2:9f:
29:3b:43:b8:0b:90:05:f6:53:68:be:f2:d2:91:f9:
ec:5a:3f:83:d0:0f:49:6a:7f:d9:a3:72:d0:8f:74:
a6:4b:c8:31:bd:ac:45:6b:51:c4:46:0d:aa:31:3d:
03:bb:fc:7f:50:c6:ec:57:72:84:40:a8:4f:1d:14:
b6:4d:30:6c:2f:b1:69:7a:9b:1f:8f:f9:af:a3:00:
df:96:df:df:e6:b9:6d:5e:bc:1e:40:e7:ee:fe:18:
aa:bb:19:e5:26:9f:79:01:76:06:26:6b:43:cb:15:
41:aa:01:19:d9:11:19:7b:df:99:8c:68:8d:4b:a9:
76:3b:32:ff:68:4d:5c:0e:5d:c7:5f:ed:1a:20:f4:
68:29:0b:21:ac:79:05:9a:57:0a:54:d7:7d:06:83:
f9:b5:79:09:65:fa:c2:83:6d:b6:77:3e:e0:b2:ac:
15:b4:88:22:95:64:70:27:88:50:2b:e4:2e:6f:df:
f1:3c:fa:21:70:c2:bf:54:18:3e:2a:6f:2f:28:0f:
d3:83:61:6c:b5:9d:5e:4f:f8:8a:3b:75:ef:e9:97:
58:98:2f:31:39:cd:dd:18:ff:fc:ce:d0:83:72:23:
4f:e1:66:a4:0b:2a:5d:44:79:e4:7b:6a:67:d5:c5:
6a:a7:c9:ff:7e:1c:1b:20:e9:18:ee:69:cd:5b:cb:
f1:c3:cd:9e:62:38:f3:b0:f3:70:f8:0e:2f:c9:7b:
27:6e:5b:e4:78:b8:a2:b4:5a:26:ff:9f:bd:c6:b1:
2d:5b:a4:b3:49:17:24:68:02:be:b9:7e:c3:d5:37:
ca:c3:b4:bd:1b:28:fd:70:45:4f:9e:7e:1b:2a:14:
3d:cf:f9
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
4B:E6:00:6C:EB:DF:D8:4E:AB:EB:86:48:A2:8D:BB:18:09:C4:B4:6F
X509v3 Authority Key Identifier:
keyid:4B:E6:00:6C:EB:DF:D8:4E:AB:EB:86:48:A2:8D:BB:18:09:C4:B4:6F

X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Issuer Alternative Name:
<EMPTY>

X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
Signature Algorithm: sha256WithRSAEncryption
8a:33:b3:59:6d:30:11:d1:df:71:fa:ed:90:02:13:40:84:e0:
54:3e:88:ce:12:07:c9:29:ce:44:69:c0:e8:d4:90:e3:48:5c:
0c:6d:4f:c4:d6:af:a3:c5:86:ff:d1:93:8f:9b:b3:5e:8f:37:
fa:9c:93:cd:a8:0d:71:28:91:fa:06:17:70:a4:be:7a:30:b1:
76:c3:33:f2:4b:a7:b8:ec:a7:f9:76:e9:08:cb:b3:1b:cd:a5:
5f:c6:1a:85:7c:76:d4:67:da:d4:80:6d:be:80:4b:5c:f6:d0:
f8:f5:47:12:73:92:35:86:f2:76:4f:82:2c:e9:ec:1b:bf:5b:
cb:fa:31:65:41:ad:6f:e6:71:76:76:46:e7:51:b2:d0:fe:77:
76:2f:49:9d:c2:79:7a:94:9b:a8:42:4e:91:bb:72:60:c6:91:
e9:e6:cf:59:17:20:75:14:90:42:7c:c9:5d:27:10:b9:81:c0:
a5:43:3d:0a:e0:c6:ba:7e:e9:9a:98:02:a6:bf:5d:55:2b:31:
b9:0a:91:d7:f0:28:07:0b:80:e2:1c:0e:5f:c8:f8:88:17:3d:
8b:b0:b3:df:09:e3:0d:4b:1c:ed:d9:d1:8a:9a:d8:d8:b0:e6:
bf:9f:1e:14:86:45:47:5a:c5:e3:90:06:b7:0a:72:60:0d:0d:
2c:bd:ce:19:57:02:09:e0:d8:6e:ed:9a:7e:d6:8d:18:42:fc:
32:54:88:c1:87:98:0b:7e:ca:dd:9a:3e:d8:5b:00:91:28:ea:
2b:35:ad:36:6c:9d:e0:cc:41:cd:e9:31:75:ec:2c:e5:5e:24:
59:cd:f6:cb:14:42:e1:b6:30:84:6e:f2:13:8a:9e:32:0e:34:
1a:4f:5d:a7:19:67:64:84:29:5f:ec:7e:18:1a:7f:0c:65:6a:
04:8a:fa:a2:2b:76:ff:1f:c4:0a:5f:1b:df:4e:6b:60:58:ae:
37:d8:b8:3b:09:fa:34:8e:6a:e2:1c:a5:c6:a5:2c:a1:22:09:
03:91:b5:16:d6:d5:60:0b:a9:c2:8d:f4:6f:2c:1e:43:60:9d:
a3:8b:5c:34:ef:89:e5:93:ba:93:f8:92:96:fb:d2:f4:4b:68:
ca:0a:8c:58:d4:e2:cd:8e:e4:d7:90:1c:79:6f:c7:c2:61:ae:
e7:52:07:70:e2:d9:b4:59:b2:73:c4:eb:f0:39:09:3f:b3:69:
c7:2e:29:28:f5:a3:cd:fb:fd:2c:6b:b6:ad:de:f4:86:c4:e7:
20:e2:fc:37:40:95:b2:11:27:48:3c:3e:1c:f9:bd:fe:d2:56:
4d:a4:21:9c:85:eb:95:f1:bb:82:72:10:1c:d5:ff:eb:78:eb:
c7:5c:5f:fd:ec:0c:07:66


Intermediate CA:



Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4096 (0x1000)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = IR, ST = Tehran, L = Tehran, O = SampleOrg, OU = Infrastructure Unit, CN = SampleOrg Root Certificate Authority, emailAddress = iu@sample.tld.com
Validity
Not Before: Jan 1 00:00:00 2018 GMT
Not After : Jan 1 00:00:00 2048 GMT
Subject: C = IR, ST = Tehran, O = SampleOrg, OU = Infrastructure Unit, CN = SampleOrg Intermediate Certificate Authority, emailAddress = iu@sample.tld.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:ad:d4:fd:41:15:a9:9e:ee:ef:09:3f:3f:54:55:
b4:bc:eb:15:d7:e8:3f:3d:5c:6a:f1:6e:83:33:da:
98:d5:e8:f8:ee:a3:62:a0:5a:bd:e0:a6:b3:c3:a1:
2c:7f:80:32:e5:f7:a9:0d:e0:33:2f:16:03:bd:59:
f4:47:6c:2b:6a:c3:d1:bf:a8:98:d6:1a:25:48:45:
94:cc:f4:3b:00:fa:3a:62:5f:1d:2e:e6:e3:cc:f8:
4e:78:8e:0d:93:ca:46:d9:b8:fa:45:f6:0d:8a:9d:
47:47:fe:10:1f:54:69:8c:eb:5d:71:d5:69:dc:0f:
12:9f:7b:a1:3e:e4:79:77:0b:f1:f3:33:9f:a8:75:
5c:3c:1f:38:96:c9:6f:8e:f4:b7:33:d8:51:c7:43:
42:1f:8f:7f:99:8e:d7:16:e0:cd:c8:c5:71:ac:4e:
07:c5:59:88:c6:97:55:a8:1c:ef:c8:43:30:25:7d:
8d:00:65:ab:bc:6f:d4:54:48:3b:6f:d6:e6:6f:ee:
da:3a:93:73:c3:9c:79:27:3a:fe:01:8f:67:24:91:
d1:92:1b:76:90:df:68:2b:8f:74:06:bd:f3:e3:96:
31:90:23:31:49:e9:76:51:ee:8f:3e:85:78:3c:99:
e4:84:4d:1a:61:86:8f:22:d2:b6:90:96:f4:ca:52:
c5:c7:3c:c9:cc:bd:3f:6b:56:df:df:21:0d:b3:09:
05:12:b5:37:ee:61:26:a6:0d:21:d7:52:f9:49:0d:
17:8c:44:ab:72:82:0c:db:05:33:77:67:70:bb:94:
4c:db:07:97:58:77:f2:28:95:6e:97:d2:f3:6f:fa:
b9:58:23:e1:39:81:b0:c5:1c:df:7f:45:5c:b1:8f:
89:bd:b8:51:0d:6a:a5:db:9d:8f:97:05:2d:fa:3b:
15:04:67:b4:b4:b2:fd:fb:69:b9:d3:73:0c:56:79:
e2:67:7a:0d:f8:6d:60:04:48:99:c4:7e:6a:8c:b0:
73:d1:70:a7:7d:0b:c5:6d:40:72:fb:58:fd:b4:46:
8c:a0:40:87:1c:23:75:1a:8a:4b:40:3b:f3:38:50:
18:3d:99:d3:2d:81:87:dc:27:22:39:36:fd:59:b9:
03:63:1c:76:ff:a8:0b:7b:8f:de:ff:6d:59:18:3e:
e5:a9:0f:b8:2f:fd:52:5a:7a:e4:d4:03:4b:25:9a:
50:e5:1b:80:ce:ab:4a:04:0e:5f:a8:31:01:38:ea:
7f:1e:b5:0a:a5:65:f9:b0:c4:24:55:89:6e:8d:9e:
3a:cf:e9:9a:f5:8c:e1:1b:ee:29:2b:3b:16:51:d8:
77:fe:95:f9:15:d3:a9:61:30:bc:94:0a:7d:98:87:
d2:82:6d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
A7:6C:F7:40:34:DD:ED:0E:25:46:5D:16:65:4D:8F:ED:29:E8:5E:A7
X509v3 Authority Key Identifier:
keyid:4B:E6:00:6C:EB:DF:D8:4E:AB:EB:86:48:A2:8D:BB:18:09:C4:B4:6F

X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
Signature Algorithm: sha256WithRSAEncryption
d6:e5:f9:73:b4:50:98:ab:e9:6d:44:ef:4c:32:c4:88:bc:40:
3d:1c:80:a2:04:09:da:e0:3d:9d:e2:c5:2b:1d:64:7b:84:81:
4a:30:57:5a:c0:49:48:77:0b:c0:15:3e:cd:52:a9:d7:33:29:
eb:95:ce:b1:a2:9b:7c:9d:ac:53:3d:a7:2c:b0:f1:a5:d2:81:
c2:23:ea:bb:cd:e4:3f:e3:18:b4:70:6d:7d:23:1c:82:cc:01:
67:f9:2e:a9:8a:9e:94:ac:aa:ef:a3:9c:66:13:e7:b9:11:2f:
e5:52:c2:fe:92:f6:85:3f:3d:35:ad:57:15:d9:b8:19:b8:43:
73:62:f0:5a:55:d6:f3:18:7c:9f:79:fc:11:b8:ac:f6:a7:14:
e0:93:b1:9a:a8:42:1a:32:a8:36:43:87:b4:0d:76:2f:a5:ca:
66:4b:c4:cf:58:ec:c2:75:1b:32:58:8c:be:cc:b8:4a:0c:bd:
75:17:3d:b9:21:0b:e8:57:ea:84:92:e2:f8:d2:35:11:23:62:
4d:64:d0:3b:db:d5:1c:14:03:a7:ff:d9:0a:64:eb:36:2d:79:
6b:13:9f:d4:8d:08:01:86:83:10:a4:24:88:ea:6a:b4:75:07:
ab:54:87:2a:b6:87:23:d9:b0:00:d4:ba:6a:1d:db:ab:49:f2:
59:40:1f:6e:32:13:15:a7:40:3d:6a:22:24:12:4e:47:42:37:
9c:27:f5:d2:93:3f:40:77:f8:c5:db:9b:f0:92:15:51:74:0d:
5b:3c:f5:8b:a1:9c:39:f9:8b:41:3a:7b:57:00:31:d6:ca:e1:
5f:ef:54:7d:69:ba:2f:ce:52:6f:77:f6:b6:2c:c8:d8:d5:bc:
c9:99:d1:5a:5e:0f:b7:a4:24:09:58:07:af:bf:bc:1b:42:7b:
9c:31:22:5a:b8:bb:24:24:af:5b:5e:f5:a3:48:b1:bb:5c:ed:
86:87:70:af:10:6c:4e:34:d1:3e:2d:03:a8:4a:bf:67:1c:c6:
61:18:b1:82:75:5b:a0:b2:2f:1e:8d:f8:6a:bd:47:53:94:b2:
2c:93:74:c4:d6:d0:28:42:cf:4b:2f:61:81:86:42:53:ce:2f:
6b:e2:8e:aa:bf:9e:d1:9d:6a:2a:d3:83:0b:c0:df:fc:19:f3:
58:a0:ed:14:65:0f:87:9d:53:0b:d0:8d:fe:bb:97:8c:97:84:
f8:d4:c0:2c:99:44:99:83:3f:6d:d4:e9:c5:b0:8d:b9:df:d7:
5c:d3:fd:b9:90:36:1f:83:ba:53:dd:d0:8a:c6:a1:85:85:39:
af:6b:9b:da:c3:1c:27:f3:3d:94:af:65:12:07:98:f5:5d:de:
1a:d3:32:15:7a:d7:f7:63


Chain CA:



Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4096 (0x1000)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = IR, ST = Tehran, L = Tehran, O = SampleOrg, OU = Infrastructure Unit, CN = SampleOrg Root Certificate Authority, emailAddress = iu@sample.tld.com
Validity
Not Before: Jan 1 00:00:00 2018 GMT
Not After : Jan 1 00:00:00 2048 GMT
Subject: C = IR, ST = Tehran, O = SampleOrg, OU = Infrastructure Unit, CN = SampleOrg Intermediate Certificate Authority, emailAddress = iu@sample.tld.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:ad:d4:fd:41:15:a9:9e:ee:ef:09:3f:3f:54:55:
b4:bc:eb:15:d7:e8:3f:3d:5c:6a:f1:6e:83:33:da:
98:d5:e8:f8:ee:a3:62:a0:5a:bd:e0:a6:b3:c3:a1:
2c:7f:80:32:e5:f7:a9:0d:e0:33:2f:16:03:bd:59:
f4:47:6c:2b:6a:c3:d1:bf:a8:98:d6:1a:25:48:45:
94:cc:f4:3b:00:fa:3a:62:5f:1d:2e:e6:e3:cc:f8:
4e:78:8e:0d:93:ca:46:d9:b8:fa:45:f6:0d:8a:9d:
47:47:fe:10:1f:54:69:8c:eb:5d:71:d5:69:dc:0f:
12:9f:7b:a1:3e:e4:79:77:0b:f1:f3:33:9f:a8:75:
5c:3c:1f:38:96:c9:6f:8e:f4:b7:33:d8:51:c7:43:
42:1f:8f:7f:99:8e:d7:16:e0:cd:c8:c5:71:ac:4e:
07:c5:59:88:c6:97:55:a8:1c:ef:c8:43:30:25:7d:
8d:00:65:ab:bc:6f:d4:54:48:3b:6f:d6:e6:6f:ee:
da:3a:93:73:c3:9c:79:27:3a:fe:01:8f:67:24:91:
d1:92:1b:76:90:df:68:2b:8f:74:06:bd:f3:e3:96:
31:90:23:31:49:e9:76:51:ee:8f:3e:85:78:3c:99:
e4:84:4d:1a:61:86:8f:22:d2:b6:90:96:f4:ca:52:
c5:c7:3c:c9:cc:bd:3f:6b:56:df:df:21:0d:b3:09:
05:12:b5:37:ee:61:26:a6:0d:21:d7:52:f9:49:0d:
17:8c:44:ab:72:82:0c:db:05:33:77:67:70:bb:94:
4c:db:07:97:58:77:f2:28:95:6e:97:d2:f3:6f:fa:
b9:58:23:e1:39:81:b0:c5:1c:df:7f:45:5c:b1:8f:
89:bd:b8:51:0d:6a:a5:db:9d:8f:97:05:2d:fa:3b:
15:04:67:b4:b4:b2:fd:fb:69:b9:d3:73:0c:56:79:
e2:67:7a:0d:f8:6d:60:04:48:99:c4:7e:6a:8c:b0:
73:d1:70:a7:7d:0b:c5:6d:40:72:fb:58:fd:b4:46:
8c:a0:40:87:1c:23:75:1a:8a:4b:40:3b:f3:38:50:
18:3d:99:d3:2d:81:87:dc:27:22:39:36:fd:59:b9:
03:63:1c:76:ff:a8:0b:7b:8f:de:ff:6d:59:18:3e:
e5:a9:0f:b8:2f:fd:52:5a:7a:e4:d4:03:4b:25:9a:
50:e5:1b:80:ce:ab:4a:04:0e:5f:a8:31:01:38:ea:
7f:1e:b5:0a:a5:65:f9:b0:c4:24:55:89:6e:8d:9e:
3a:cf:e9:9a:f5:8c:e1:1b:ee:29:2b:3b:16:51:d8:
77:fe:95:f9:15:d3:a9:61:30:bc:94:0a:7d:98:87:
d2:82:6d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
A7:6C:F7:40:34:DD:ED:0E:25:46:5D:16:65:4D:8F:ED:29:E8:5E:A7
X509v3 Authority Key Identifier:
keyid:4B:E6:00:6C:EB:DF:D8:4E:AB:EB:86:48:A2:8D:BB:18:09:C4:B4:6F

X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
Signature Algorithm: sha256WithRSAEncryption
d6:e5:f9:73:b4:50:98:ab:e9:6d:44:ef:4c:32:c4:88:bc:40:
3d:1c:80:a2:04:09:da:e0:3d:9d:e2:c5:2b:1d:64:7b:84:81:
4a:30:57:5a:c0:49:48:77:0b:c0:15:3e:cd:52:a9:d7:33:29:
eb:95:ce:b1:a2:9b:7c:9d:ac:53:3d:a7:2c:b0:f1:a5:d2:81:
c2:23:ea:bb:cd:e4:3f:e3:18:b4:70:6d:7d:23:1c:82:cc:01:
67:f9:2e:a9:8a:9e:94:ac:aa:ef:a3:9c:66:13:e7:b9:11:2f:
e5:52:c2:fe:92:f6:85:3f:3d:35:ad:57:15:d9:b8:19:b8:43:
73:62:f0:5a:55:d6:f3:18:7c:9f:79:fc:11:b8:ac:f6:a7:14:
e0:93:b1:9a:a8:42:1a:32:a8:36:43:87:b4:0d:76:2f:a5:ca:
66:4b:c4:cf:58:ec:c2:75:1b:32:58:8c:be:cc:b8:4a:0c:bd:
75:17:3d:b9:21:0b:e8:57:ea:84:92:e2:f8:d2:35:11:23:62:
4d:64:d0:3b:db:d5:1c:14:03:a7:ff:d9:0a:64:eb:36:2d:79:
6b:13:9f:d4:8d:08:01:86:83:10:a4:24:88:ea:6a:b4:75:07:
ab:54:87:2a:b6:87:23:d9:b0:00:d4:ba:6a:1d:db:ab:49:f2:
59:40:1f:6e:32:13:15:a7:40:3d:6a:22:24:12:4e:47:42:37:
9c:27:f5:d2:93:3f:40:77:f8:c5:db:9b:f0:92:15:51:74:0d:
5b:3c:f5:8b:a1:9c:39:f9:8b:41:3a:7b:57:00:31:d6:ca:e1:
5f:ef:54:7d:69:ba:2f:ce:52:6f:77:f6:b6:2c:c8:d8:d5:bc:
c9:99:d1:5a:5e:0f:b7:a4:24:09:58:07:af:bf:bc:1b:42:7b:
9c:31:22:5a:b8:bb:24:24:af:5b:5e:f5:a3:48:b1:bb:5c:ed:
86:87:70:af:10:6c:4e:34:d1:3e:2d:03:a8:4a:bf:67:1c:c6:
61:18:b1:82:75:5b:a0:b2:2f:1e:8d:f8:6a:bd:47:53:94:b2:
2c:93:74:c4:d6:d0:28:42:cf:4b:2f:61:81:86:42:53:ce:2f:
6b:e2:8e:aa:bf:9e:d1:9d:6a:2a:d3:83:0b:c0:df:fc:19:f3:
58:a0:ed:14:65:0f:87:9d:53:0b:d0:8d:fe:bb:97:8c:97:84:
f8:d4:c0:2c:99:44:99:83:3f:6d:d4:e9:c5:b0:8d:b9:df:d7:
5c:d3:fd:b9:90:36:1f:83:ba:53:dd:d0:8a:c6:a1:85:85:39:
af:6b:9b:da:c3:1c:27:f3:3d:94:af:65:12:07:98:f5:5d:de:
1a:d3:32:15:7a:d7:f7:63






certificate openssl certificate-authority






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Nov 14 at 19:53

























asked Nov 14 at 18:43









sweb

3041410




3041410








  • 1




    openssl x509 -noout -text -in <certificate file> will give you a better view of your certificates than an image. Copy/paste the output for all of your certificates into your question.
    – garethTheRed
    Nov 14 at 19:17










  • @garethTheRed added.
    – sweb
    Nov 14 at 19:54






  • 2




    You only add the Root CA certificate to Firefox (or any other browser and/or Operating System). All other certificates are added to the bundle end-entity first, followed by the CA that signed it, followed by the CA that signed that, all the way to the last Intermediate CA. There's no need to add the Root CA here as that's installed in Firefox (or similar). This bundle is then installed in your web-server.
    – garethTheRed
    Nov 14 at 21:14
















  • 1




    openssl x509 -noout -text -in <certificate file> will give you a better view of your certificates than an image. Copy/paste the output for all of your certificates into your question.
    – garethTheRed
    Nov 14 at 19:17










  • @garethTheRed added.
    – sweb
    Nov 14 at 19:54






  • 2




    You only add the Root CA certificate to Firefox (or any other browser and/or Operating System). All other certificates are added to the bundle end-entity first, followed by the CA that signed it, followed by the CA that signed that, all the way to the last Intermediate CA. There's no need to add the Root CA here as that's installed in Firefox (or similar). This bundle is then installed in your web-server.
    – garethTheRed
    Nov 14 at 21:14










1




1




openssl x509 -noout -text -in <certificate file> will give you a better view of your certificates than an image. Copy/paste the output for all of your certificates into your question.
– garethTheRed
Nov 14 at 19:17




openssl x509 -noout -text -in <certificate file> will give you a better view of your certificates than an image. Copy/paste the output for all of your certificates into your question.
– garethTheRed
Nov 14 at 19:17












@garethTheRed added.
– sweb
Nov 14 at 19:54




@garethTheRed added.
– sweb
Nov 14 at 19:54




2




2




You only add the Root CA certificate to Firefox (or any other browser and/or Operating System). All other certificates are added to the bundle end-entity first, followed by the CA that signed it, followed by the CA that signed that, all the way to the last Intermediate CA. There's no need to add the Root CA here as that's installed in Firefox (or similar). This bundle is then installed in your web-server.
– garethTheRed
Nov 14 at 21:14






You only add the Root CA certificate to Firefox (or any other browser and/or Operating System). All other certificates are added to the bundle end-entity first, followed by the CA that signed it, followed by the CA that signed that, all the way to the last Intermediate CA. There's no need to add the Root CA here as that's installed in Firefox (or similar). This bundle is then installed in your web-server.
– garethTheRed
Nov 14 at 21:14












1 Answer
1






active

oldest

votes

















up vote
0
down vote



accepted










HTTP server must has chain of domain and intermediate as chain of server side certificate.



cat certs/intermediate/certs/domain.cert.pem  
certs/intermediate/certs/intermediate.cert.pem > webserver.cert.pem


This is not documented thou.






share|improve this answer





















    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "3"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














     

    draft saved


    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1375417%2fpki-certs-hierarchy%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes








    up vote
    0
    down vote



    accepted










    HTTP server must has chain of domain and intermediate as chain of server side certificate.



    cat certs/intermediate/certs/domain.cert.pem  
    certs/intermediate/certs/intermediate.cert.pem > webserver.cert.pem


    This is not documented thou.






    share|improve this answer

























      up vote
      0
      down vote



      accepted










      HTTP server must has chain of domain and intermediate as chain of server side certificate.



      cat certs/intermediate/certs/domain.cert.pem  
      certs/intermediate/certs/intermediate.cert.pem > webserver.cert.pem


      This is not documented thou.






      share|improve this answer























        up vote
        0
        down vote



        accepted







        up vote
        0
        down vote



        accepted






        HTTP server must has chain of domain and intermediate as chain of server side certificate.



        cat certs/intermediate/certs/domain.cert.pem  
        certs/intermediate/certs/intermediate.cert.pem > webserver.cert.pem


        This is not documented thou.






        share|improve this answer












        HTTP server must has chain of domain and intermediate as chain of server side certificate.



        cat certs/intermediate/certs/domain.cert.pem  
        certs/intermediate/certs/intermediate.cert.pem > webserver.cert.pem


        This is not documented thou.







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Nov 15 at 15:54









        sweb

        3041410




        3041410






























             

            draft saved


            draft discarded



















































             


            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1375417%2fpki-certs-hierarchy%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            Popular posts from this blog

            Plaza Victoria

            Puebla de Zaragoza

            Musa