When you install an SSL certificate, your server may ask to import a CA Bundle along with your primary certificate. Here’s where users usually encounter difficulties. They either don’t know where to find the CA bundle or struggle to create it.
CA Bundle is the file that contains root and intermediate certificates. Together with your server certificate (issued specifically for your domain), these files complete the SSL chain of trust. The chain is required to improve the compatibility of the certificates with web browsers, email clients, and mobile devices.
The CA bundle is essential for older browser versions and obsolete systems. If an intermediate certificate is missing or isn’t configured correctly, browsers won’t recognize your certificate.
A missing intermediate is one of the most common causes of SSL connection errors. To avoid this issue, you must import the right file. Moreover, the certificates inside the CA Bundle must be in the correct order.
Where to find the CA Bundle?
Not all Certificate Authorities will send you the CA Bundle file. You may receive your root and intermediate certificates as separate files. If your certificate is in the PKCS#7 format (appropriate mostly for IIS/Microsoft Exchange), the bundle is already included in your certificate and you do not need to install it separately.
After successfully applying for an SSL certificate, the CA will provide you with all the necessary installation files. Download and extract its contents on your device. If there’s a file with a .ca-bundle extension, all you have to do is upload it to your server in the relevant field. If you’ve received your root and intermediate certs as separate files, you should combine them into a single one to create the CA Bundle file. Here’s how to do it:
How to create the CA Bundle?
To create the CA Bundle file, you’ll need a text editor such as Notepad, and of course, the root and intermediate certificates as separate files. A typical SSL installation pack may include the following files:
- Root CA Certificate – AddTrustExternalCARoot.crt (the root certificate)
- SectigoRSAAddTrustCA.crt OR SectigoECCAddTrustCA.crt (intermediate certificate 1)
- SectigoRSAECCDomain/Organization/ExtendedvalidationSecureServerCA.crt ( intermediate certificate 2)
- SectigoSHA256SecureServerCA.crt ( intermediate certificate 3)
- yourDomain.crt (the SSL certificate issued for your domain)
To make your own CA bundle, place the root and intermediate SSL certificates in the exact order as shown below inside a single text file.
- Open all files except your domain certificate in a text editor.
- Create a new blank text file and name it “yourdomain.ca-bundle”
- Copy the contents of all files in the exact order and paste them into the new file:
- Intermediate certificate 3
- Intermediate certificate 2
- Intermediate certificate 1
- Root Certificate
- Save the newly created file. You can now upload it to your server.
If you’ve lost the CA bundle or the root and intermediate files, you can get the bundle from your CA. For example, here are the Sectigo CA Bundle codes. And here are the DigiCert root and intermediate certificates. For more questions about the CA Bundle contact your CA or SSL vendor.