Check certificate chain of trust using OpenSSL

Sometimes when you get an error like this:

Unable to Verify first certificate

Then the error you are seeing is due to the server not being able to verify your certificate’s chain of trust. From the domain you have shown there, looks like your certificate bundle does not have a Digicert intermediate certificate installed in your server. Meaning, when verifying the chain of trust, your server certificate gets validated from intermediate CA, and intermediate CAs certificate gets validated from rootCA. FYI, This is known as the certificate chain of trust and building block for HTTPS.

When you issue or buy certificate from any CA, you will get 3 certificate, rootCA cert, intermediateCA cert and domain certificate. You need to create a bundle of those certificate using this command

cat rootCA.crt server.crt intermediate.crt >> bundle.crt.

Then, if you are using NGINX for reverse proxy then add the configuration in your NGINX configuration file i.e /etc/nginx/sites-available/<configuration file>

ssl_certificate …./…/bundle.crt
ssl_certificate_key <Private key>

Private key is issued using CSR request to the certificate provider. DO NOT DO IT TWICE, they might charge you again. Once it’ s installed you can move forward to check certificate status.

You can check the certificate chain of trust using following command.

openssl s_client -connect example.com:443 -servername example.com

and also using the header using curl

curl -v https://example.com

Once your certificate is installed and configured, you can go to following URL to see, if your certificate chain of trust of verified or not.

https://www.digicert.com/help/

A word of advice, If you are using free SSL from cloud flare then do not use it as cloud flare does not install SSL to your server, rather certificate is installed in the edge server. If you want full SSL encryption to your server, use certificate providers like LE. That way traffic is encrypted up to your server and to the LB.